CVE-2025-66518HIGH 8.8EPSS p54.7%

CVE-2025-66518CVE-2025-66518

Description

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.89% probability of exploitation · percentile 54.7% · 2026-06-19T12:03:05Z
Published2026-01-05
Last modified2026-01-27

Underlying weaknesses· 2

CWE-27CWE-22

References

  1. https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl
  2. http://www.openwall.com/lists/oss-security/2026/01/05/1

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessPath Traversal: 'dir/../../filename'cwe-270%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4789
CVE
CVE-2025-0670
CVE
Apache Kylin OS Command Injection Vulnerability
CVE
CVE-2025-67030
CVE
CVE-2025-11625
CVE
CVE-2025-62630
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.