CVE-2025-54790
- Source
- https://cve.org/CVERecord?id=CVE-2025-54790
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54790.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-54790
- Aliases
-
- GHSA-rfvq-g9rm-pgqj
- Published
- 2025-08-01T23:37:23.353Z
- Modified
- 2026-04-10T05:30:39.573200Z
- Severity
-
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- Files: Potential for SQL Injection through File Browse and List Operations
- Details
-
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54790.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-89" ] }- References
-
- https://github.com/humhub/cfiles/releases/tag/v0.16.10
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54790.json
- https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj
- https://nvd.nist.gov/vuln/detail/CVE-2025-54790
- https://github.com/humhub/cfiles/pull/252
Affected packages
Git / github.com/humhub/cfiles
Affected ranges
- Type
- GIT
- Repo
- https://github.com/humhub/cfiles
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed