CVE-2025-41714 HIGH

CVE-2025-41714: Path Traversal via 'Upload-Key' in SmartEMS Upload Handling

Vendor Welotec
Product SmartEMS Web Application
Weakness CWE-22 · Path traversal
Published September 10, 2025
Last update September 10, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The upload endpoint insufficiently validates the 'Upload-Key' request header. By supplying path traversal sequences, an authenticated attacker can cause the server to create upload-related artifacts outside the intended storage location. In certain configurations this enables arbitrary file write and may be leveraged to achieve remote code execution.

Key dates

02Disclosure timeline

September 10, 2025 CVE published
September 10, 2025 Record updated

Related vulnerabilities

04Related CVE