CVE-2025-24891CRITICAL 9.6EPSS p43.7%

CVE-2025-24891CVE-2025-24891

Description

Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.59% probability of exploitation · percentile 43.7% · 2026-06-18T12:00:27Z
Published2025-01-31
Last modified2026-04-15

Underlying weaknesses· 2

CWE-22CWE-276

References

  1. https://github.com/DumbWareio/DumbDrop/commit/cb586316648ccbfb21d27b84e90d72ccead9819d
  2. https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-24f2-fv38-3274

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessIncorrect Default Permissionscwe-2760%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-59818
CVE
CVE-2026-45230
CVE
CVE-2025-59171
CVE
CVE-2025-58423
CVE
CVE-2026-21628
CVE
CVE-2025-41735
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.