CVE-2026-45225

HIGH 7.6

Heym < 0.0.21 Path Traversal File Upload via upload_file()

CVSS Score

7.6

EPSS Score

0.0%

EPSS Percentile

0th

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.

CWE	CWE-22
Vendor	heymrun
Product	heym
Published	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for heymrun heym

Be the first to know when new high vulnerabilities affecting heymrun heym are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Affected Versions

heymrun / heym

0 < 0.0.21

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/heymrun/heym/releases/tag/v0.0.21 github.com: https://github.com/heymrun/heym/pull/92 github.com: https://github.com/heymrun/heym/commit/835843e6d2bf7d018cbb8e50f28f0426eaa20c84 vulncheck.com: https://www.vulncheck.com/advisories/heym-path-traversal-file-upload-via-upload-file

Credits

Chia Min Jun Lennon