CVE-2025-43919

CWE-24CWE-22Path Traversal4 documents4 sources
Severity
7.5HIGH
EPSS
0.2%
top 55.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Mailman
Timeline
PublishedApr 20

Description

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at /mailman/private/mailman (aka the private archive authentication endpoint) via the username parameter. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDgnu/mailman2.1.12.1.39
CVEListV5gnu/mailman2.1.39

🔴Vulnerability Details

3
GHSA
GHSA-56r4-vj3r-h3vv: GNU Mailman 22025-04-20
OSV
CVE-2025-43919: GNU Mailman 22025-04-20
CVEList
CVE-2025-43919: GNU Mailman 22025-04-20
CVE-2025-43919 (HIGH CVSS 7.5) | GNU Mailman 2.1.39 | cvebase.io