CVE-2026-25575: CWE-23: Relative Path Traversal in TUM-Dev NavigaTUM
CVE-2026-25575 is a high-severity path traversal vulnerability in the NavigaTUM web application and API, allowing unauthenticated attackers to overwrite files in directories writable by the application user. By sending crafted JSON payloads with relative path sequences, attackers can escape the intended temporary directory and overwrite or add files, potentially replacing public-facing images or filling server storage. This vulnerability affects versions prior to commit 86f34c7 and requires no authentication or user interaction. The issue has been patched in the specified commit. European organizations using NavigaTUM should urgently apply the patch to prevent exploitation that could lead to defacement, denial of service, or further compromise.
AI Analysis
Technical Summary
NavigaTUM, a web application and API designed for searching rooms, buildings, and other locations, contained a critical path traversal vulnerability identified as CVE-2026-25575. The vulnerability exists in the propose_edits endpoint, where the application fails to properly sanitize file keys in JSON payloads. Attackers can include relative path traversal sequences such as "../../" to escape the intended temporary directory and write files to arbitrary locations writable by the application user, such as the /cdn directory. This can lead to overwriting public-facing images or filling the server's storage, potentially causing denial of service or enabling further attacks like web defacement or code injection if executable files are placed. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The issue was fixed in commit 86f34c7 by properly sanitizing input to prevent directory traversal. The CVSS 4.0 score is 8.8 (high), reflecting the ease of exploitation and significant impact on integrity and availability. No known exploits in the wild have been reported yet.
Potential Impact
For European organizations using NavigaTUM, this vulnerability poses a significant risk. Attackers can remotely overwrite files without authentication, potentially defacing websites, disrupting services by filling storage, or planting malicious files for further exploitation. Public-facing institutions such as universities, municipal offices, or companies relying on NavigaTUM for location services could suffer reputational damage and operational downtime. The integrity of publicly accessible content can be compromised, and availability may be impacted due to resource exhaustion. Given the unauthenticated nature of the exploit, attackers from anywhere can target vulnerable deployments, increasing the threat landscape. Organizations with strict data integrity and availability requirements, such as government or critical infrastructure entities, are particularly at risk.
Mitigation Recommendations
Organizations should immediately verify their NavigaTUM version and apply the patch introduced in commit 86f34c7 or upgrade to a fixed version. If patching is not immediately possible, implement web application firewall (WAF) rules to detect and block requests containing path traversal sequences in the propose_edits endpoint payloads. Restrict write permissions of the application user to only necessary directories and avoid writable directories that serve public content. Monitor logs for suspicious requests attempting directory traversal patterns. Conduct regular security audits of input validation mechanisms in web APIs. Additionally, implement rate limiting and anomaly detection to reduce the risk of automated exploitation attempts. Backup critical data and have an incident response plan ready in case of compromise.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Austria
CVE-2026-25575: CWE-23: Relative Path Traversal in TUM-Dev NavigaTUM
Description
CVE-2026-25575 is a high-severity path traversal vulnerability in the NavigaTUM web application and API, allowing unauthenticated attackers to overwrite files in directories writable by the application user. By sending crafted JSON payloads with relative path sequences, attackers can escape the intended temporary directory and overwrite or add files, potentially replacing public-facing images or filling server storage. This vulnerability affects versions prior to commit 86f34c7 and requires no authentication or user interaction. The issue has been patched in the specified commit. European organizations using NavigaTUM should urgently apply the patch to prevent exploitation that could lead to defacement, denial of service, or further compromise.
AI-Powered Analysis
Technical Analysis
NavigaTUM, a web application and API designed for searching rooms, buildings, and other locations, contained a critical path traversal vulnerability identified as CVE-2026-25575. The vulnerability exists in the propose_edits endpoint, where the application fails to properly sanitize file keys in JSON payloads. Attackers can include relative path traversal sequences such as "../../" to escape the intended temporary directory and write files to arbitrary locations writable by the application user, such as the /cdn directory. This can lead to overwriting public-facing images or filling the server's storage, potentially causing denial of service or enabling further attacks like web defacement or code injection if executable files are placed. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The issue was fixed in commit 86f34c7 by properly sanitizing input to prevent directory traversal. The CVSS 4.0 score is 8.8 (high), reflecting the ease of exploitation and significant impact on integrity and availability. No known exploits in the wild have been reported yet.
Potential Impact
For European organizations using NavigaTUM, this vulnerability poses a significant risk. Attackers can remotely overwrite files without authentication, potentially defacing websites, disrupting services by filling storage, or planting malicious files for further exploitation. Public-facing institutions such as universities, municipal offices, or companies relying on NavigaTUM for location services could suffer reputational damage and operational downtime. The integrity of publicly accessible content can be compromised, and availability may be impacted due to resource exhaustion. Given the unauthenticated nature of the exploit, attackers from anywhere can target vulnerable deployments, increasing the threat landscape. Organizations with strict data integrity and availability requirements, such as government or critical infrastructure entities, are particularly at risk.
Mitigation Recommendations
Organizations should immediately verify their NavigaTUM version and apply the patch introduced in commit 86f34c7 or upgrade to a fixed version. If patching is not immediately possible, implement web application firewall (WAF) rules to detect and block requests containing path traversal sequences in the propose_edits endpoint payloads. Restrict write permissions of the application user to only necessary directories and avoid writable directories that serve public content. Monitor logs for suspicious requests attempting directory traversal patterns. Conduct regular security audits of input validation mechanisms in web APIs. Additionally, implement rate limiting and anomaly detection to reduce the risk of automated exploitation attempts. Backup critical data and have an incident response plan ready in case of compromise.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-03T01:02:46.714Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69844e6bf9fa50a62f0c7c95
Added to database: 2/5/2026, 8:01:47 AM
Last enriched: 2/5/2026, 8:02:03 AM
Last updated: 2/5/2026, 9:12:35 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
The First 90 Seconds: How Early Decisions Shape Incident Response Investigations
HighCVE-2026-1319: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themeisle Robin Image Optimizer – Unlimited Image Optimization & WebP Converter
MediumCVE-2025-13416: CWE-862 Missing Authorization in metagauss ProfileGrid – User Profiles, Groups and Communities
MediumCVE-2025-10258: Vulnerability in Nokia Infinera DNA
UnknownCVE-2026-1268: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in brechtvds Dynamic Widget Content
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.