In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.
{ "cwe_ids": [ "CWE-22", "CWE-24" ], "nvd_published_at": "2025-06-10T17:20:09Z", "github_reviewed_at": "2025-06-10T20:25:49Z", "github_reviewed": true, "severity": "MODERATE" }