CVE-2025-3486HIGH 8.8EPSS p72.0%

CVE-2025-3486CVE-2025-3486

Description

Allegra isZipEntryValide Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the isZipEntryValide method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-25730.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS1.56% probability of exploitation · percentile 72.0% · 2026-06-18T12:00:27Z
Published2025-05-22
Last modified2025-08-15

Underlying weaknesses· 1

CWE-22

References

  1. https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-2
  2. https://www.zerodayinitiative.com/advisories/ZDI-25-255/

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-3485
CVE
CVE-2026-10621
CVE
CVE-2025-6445
CVE
CVE-2025-57790
CVE
CVE-2025-48817
CVE
CVE-2025-41735
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.