CVE-2025-11139CRITICAL 9.8EPSS p46.7%

CVE-2025-11139CVE-2025-11139

Description

A vulnerability was determined in Bjskzy Zhiyou ERP up to 11.0. Affected is the function uploadStudioFile of the component com.artery.form.services.FormStudioUpdater. This manipulation of the argument filepath causes path traversal. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.66% probability of exploitation · percentile 46.7% · 2026-06-18T12:00:27Z
Published2025-09-29
Last modified2026-04-29

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/FightingLzn9/vul/blob/main/%E6%97%B6%E7%A9%BA%E6%99%BA%E5%8F%8Berp-2.md
  2. https://vuldb.com/?ctiid.326216
  3. https://vuldb.com/?id.326216
  4. https://vuldb.com/?submit.658077

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-11140
CVE
CVE-2025-9391
CVE
CVE-2025-11630
CVE
CVE-2025-2708
CVE
CVE-2025-3381
CVE
CVE-2025-2743
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.