CVE-2025-41368 | THREATINT

Description

Problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any file if they have the appropriate permissions outside the document root configured on the server.

PUBLISHED Reserved 2025-04-16 | Published 2026-03-26 | Updated 2026-03-26 | Assigner INCIBE

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

3.06.36

affected

Credits

Rafael Pedrero finder

References

www.incibe.es/...-vulnerabilities-small-http-server-smallsrv patch

cve.org (CVE-2025-41368)

nvd.nist.gov (CVE-2025-41368)

Download JSON