High severity8.1NVD Advisory· Published Sep 22, 2025· Updated Apr 15, 2026

CVE-2025-10854

Description

The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to write a file anywhere in the filesystem when txtai is used to load untrusted embedding indices

Affected products

Neuml/Txtaireferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/neuml/txtai/issues/965nvd
research.jfrog.com/vulnerabilities/txtai-arbitrary-file-write-jfsa-2025-001471363/nvd

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000