CVE-2025-32807

NameCVE-2025-32807
DescriptionA path traversal vulnerability in FusionDirectory before 1.5 allows remote attackers to read arbitrary files on the host that end with .png (and .svg or .xpm for some configurations) via the icon parameter of a GET request to geticon.php.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fusiondirectory (PTS)bullseye1.3-4+deb11u1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fusiondirectorysource(unstable)(unfixed)

Notes

[bullseye] - fusiondirectory <postponed> (Minor issue, infoleak limited to image files)
https://gitlab.fusiondirectory.org/fusiondirectory/fd/-/commit/9edefd0b367450d665a141c5e94db8a06d208556
Search for package or bug name: Reporting problems