CVE-2025-6278
published 2025-06-19CVE-2025-6278: A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.65%
46.4th percentile
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| upsonic | upsonic | <= 0.55.6 | — |
| upsonic | upsonic | — | — |
| upsonic | upsonic | — | — |
| upsonic | upsonic | — | — |
| upsonic | upsonic | — | — |
| upsonic | upsonic | — | — |
| upsonic | upsonic | — | — |
| upsonic | upsonic | — | — |
| upsonic | upsonic | >= 0 < 0.56.0 | 0.56.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.0LOWCVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.2MEDIUMAV:A/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Upsonic is vulnerable to Path Traversal attack through its os.path.join function
osv·2025-06-19
CVE-2025-6278 [LOW] Upsonic is vulnerable to Path Traversal attack through its os.path.join function
Upsonic is vulnerable to Path Traversal attack through its os.path.join function
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.
GHSA
Upsonic is vulnerable to Path Traversal attack through its os.path.join function
ghsa·2025-06-19
CVE-2025-6278 [LOW] CWE-22 Upsonic is vulnerable to Path Traversal attack through its os.path.join function
Upsonic is vulnerable to Path Traversal attack through its os.path.join function
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.
OSV
CVE-2025-6278: A vulnerability classified as critical was found in Upsonic up to 0
osv·2025-06-19
CVE-2025-6278 CVE-2025-6278: A vulnerability classified as critical was found in Upsonic up to 0
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-19
Published