FKIE_CVE-2025-69601

Vulnerability from fkie_nvd - Published: 2026-01-28 19:16 - Updated: 2026-02-09 17:25
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
A directory traversal (Zip Slip) vulnerability exists in the “Static Sites” feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten.
References
cve@mitre.orghttps://gist.github.com/Waqar-Arain/9cd59aa74de540eeb3b09d15bac35e36Exploit, Third Party Advisory
Impacted products
Vendor Product Version
altumcode 66biolinks 44.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:altumcode:66biolinks:44.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "00EE5075-C301-4499-9115-A0CA3D87AFD7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A directory traversal (Zip Slip) vulnerability exists in the \u201cStatic Sites\u201d feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de salto de directorio (Zip Slip) existe en la caracter\u00edstica \u0027Sitios Est\u00e1ticos\u0027 de 66biolinks v44.0.0 de AltumCode. Los archivos ZIP subidos se extraen autom\u00e1ticamente sin validar ni sanear las rutas de archivo. Un atacante puede incluir secuencias de salto (p. ej., ../) en las entradas ZIP para escribir archivos fuera del directorio de extracci\u00f3n previsto. Esto permite la escritura de archivos est\u00e1ticos (html, js, css, im\u00e1genes) en ubicaciones no deseadas, o la sobrescritura de archivos HTML existentes, lo que podr\u00eda llevar a la desfiguraci\u00f3n del contenido y, en ciertas implementaciones, a un mayor impacto si se sobrescriben archivos sensibles."
    }
  ],
  "id": "CVE-2025-69601",
  "lastModified": "2026-02-09T17:25:23.750",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-28T19:16:23.910",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://gist.github.com/Waqar-Arain/9cd59aa74de540eeb3b09d15bac35e36"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.