CVE-2025-22137CRITICAL 9.8EPSS p42.4%

CVE-2025-22137CVE-2025-22137

Description

Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST requests. The issue has been patched in version 1.4.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.57% probability of exploitation · percentile 42.4% · 2026-06-19T12:03:05Z
Published2025-01-08
Last modified2026-04-15

Underlying weaknesses· 2

CWE-20CWE-434

References

  1. https://github.com/stonith404/pingvin-share/commit/6cf5c66fe2eda1e0a525edf7440d047fe2f0e35b
  2. https://github.com/stonith404/pingvin-share/commit/c52ec7192080c402bd804e69be93dd88cc7c5c70
  3. https://github.com/stonith404/pingvin-share/security/advisories/GHSA-rjwx-p44f-mcrv

2

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44196
CVE
CVE-2025-53251
CVE
CVE-2025-32579
CVE
CVE-2026-33645
CVE
CVE-2026-34745
CVE
CVE-2025-41347
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.