CVE-2025-27920
HIGH CISA KEVDescription
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
Is your site exposed to CVE-2025-27920?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| srimax | output_messenger |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-27920? +
How severe is CVE-2025-27920? +
What products are affected by CVE-2025-27920? +
How do I check if I'm vulnerable to CVE-2025-27920? +
Related Vulnerabilities
Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template …
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the …
Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs …
The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to Directory Traversal in all versions up to, …
Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. …
The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller …