Base Score

MEDIUM5.8

CVE-2025-49466

aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part,

VectorNETWORK

Published Bycve@mitre.org

Published DateJun 05, 2025, 03:15

Weakness Type (CWE):CWE-23

CVSS Metrics

Base Score

5.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

https://git.sr.ht/~rjarry/aerc/commit/2bbe75fe0bc87ab4c1e16c5a18c6200224391629
https://git.sr.ht/~rjarry/aerc/commit/93bec0de8ed5ab3d6b1f01026fe2ef20fa154329

Base Score

MEDIUM5.8

Weakness Type (CWE):CWE-23

CVSS Metrics

Base Score

5.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE