CVE-2025-60915 is a path traversal vulnerability identified in the Openatlas software developed by the Austrian Archaeological Institute, affecting versions prior to 8.12.0. The vulnerability resides in the handling of the 'size' query parameter within the /views/file.py script. An attacker can craft a malicious HTTP request that manipulates this parameter to traverse directories on the server's filesystem, thereby accessing files outside the intended directory scope. This type of vulnerability typically arises from insufficient sanitization or validation of user-supplied input used in file path construction. Successful exploitation allows unauthorized reading of arbitrary files, which may include sensitive configuration files, credentials, or other protected data. There is no indication that authentication is required to exploit this flaw, increasing its risk profile. Although no active exploits have been reported, the vulnerability is publicly disclosed and assigned a CVE identifier. The lack of a CVSS score suggests the need for an independent severity assessment. The vulnerability affects organizations using Openatlas, a software platform used primarily in archaeological research and cultural heritage management, which may contain sensitive or proprietary data. The technical details indicate the vulnerability was reserved in late September 2025 and published in November 2025, with no patch links currently provided, emphasizing the urgency for affected users to seek updates or mitigations from the vendor.

For European organizations, particularly those involved in archaeological research, cultural heritage preservation, and academic institutions using Openatlas, this vulnerability poses a significant risk. Unauthorized file access can lead to exposure of sensitive research data, personal information, or system configuration files, potentially resulting in data breaches or further system compromise. The confidentiality of proprietary archaeological datasets and personal data of researchers or subjects could be compromised. Additionally, if attackers access system files or credentials, they might escalate privileges or pivot within the network, impacting integrity and availability. Given the specialized nature of Openatlas, the impact is concentrated but critical within this niche sector. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as public disclosure may prompt attackers to develop exploits. European organizations must consider the reputational damage and regulatory implications, such as GDPR violations, if personal or sensitive data is exposed.

Organizations should immediately verify their Openatlas version and upgrade to version 8.12.0 or later once available, as this is the primary remediation step. In the absence of an official patch, implement strict input validation and sanitization on the 'size' query parameter to prevent directory traversal characters (e.g., '../'). Employ web application firewalls (WAFs) with rules designed to detect and block path traversal attempts targeting the /views/file.py endpoint. Restrict file system permissions so that the Openatlas application runs with the least privileges necessary, limiting the files accessible to the application user. Conduct thorough logging and monitoring of web server access logs to identify suspicious requests attempting directory traversal patterns. Engage with the vendor or community for interim patches or workarounds. Additionally, review and harden server configurations to prevent unauthorized file access and consider network segmentation to isolate critical research systems. Regularly audit and update security controls to detect exploitation attempts promptly.