CVE-2026-45225 PUBLISHED

Heym < 0.0.21 Path Traversal File Upload via upload_file()

Assigner: VulnCheck
Reserved: 11.05.2026 Published: 12.05.2026 Updated: 12.05.2026

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 7.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
CVSS Score: 7.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	heymrun
Product	heym
Versions	Default: affected affected from 0 to 0.0.21 (excl.) Version 835843e6d2bf7d018cbb8e50f28f0426eaa20c84 is unaffected

Credits

Chia Min Jun Lennon finder

References

Problem Types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE