CVE-2025-22137

9.8 CRITICAL

Published: January 08, 2025 Modified: April 15, 2026

Description

Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST requests. The issue has been patched in version 1.4.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/stonith404/pingvin-share/commit/6cf5c66fe2eda1e0a525edf7440d047fe2f0e35b

Source: security-advisories@github.com

https://github.com/stonith404/pingvin-share/commit/c52ec7192080c402bd804e69be93dd88cc7c5c70

Source: security-advisories@github.com

https://github.com/stonith404/pingvin-share/security/advisories/GHSA-rjwx-p44f-mcrv

Source: security-advisories@github.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

9.8 / 10.0

EPSS (Exploit Probability)

0.2%

40th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-20 CWE-434

Related CVEs

CVE-2026-41113 8.1

CVE-2026-40308 N/A

CVE-2026-40249 N/A

CVE-2026-40248 N/A

CVE-2026-40247 N/A