Home

Description

SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service.

PUBLISHED Reserved 2026-01-28 | Published 2026-01-31 | Updated 2026-02-01 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unknown

Any version
affected

Credits

chapochapo finder

References

github.com/sunfounder/pm_dashboard product

github.com/...shboard/blob/main/pm_dashboard/pm_dashboard.py issue-tracking

github.com/...shboard/blob/main/pm_dashboard/pm_dashboard.py issue-tracking

www.vulncheck.com/...-traversal-arbitrary-file-read-deletion third-party-advisory

gist.github.com/chapochapo/5db8702ede862af5c59a28b5d5a0aba3 technical-description exploit

cve.org (CVE-2026-25069)

nvd.nist.gov (CVE-2026-25069)

Download JSON