CVE-2018-25164 HIGH

CVE-2018-25164: EverSync 0.5 Arbitrary File Download via files Directory

Vendor Phpmassmail
Product EverSync
Weakness CWE-552 · Files accessible externally
Published March 6, 2026
Last update March 9, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated