VYPR
← All advisories
Medium severity4.9NVD Advisory· Published Oct 29, 2025· Updated Apr 15, 2026

CVE-2025-11466

CVE-2025-11466

Description

Allegra DatabaseBackupBL Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Allegra. Authentication is required to exploit this vulnerability.

The specific flaw exists within the DatabaseBackupBL class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-27136.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-11466 is a directory traversal vulnerability in Allegra's DatabaseBackupBL class allowing authenticated attackers to read arbitrary files.

Vulnerability

Analysis

The vulnerability, reported as ZDI-CAN-27136 [1], exists in the DatabaseBackupBL class of Allegra. The root cause is insufficient validation of user-supplied paths before using them in file operations. This directory traversal flaw enables an authenticated attacker to read arbitrary files on the system. The CVSS v3 base score is 4.9 (Medium), with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating a high confidentiality impact but requiring high privileges.

Exploitation

An attacker with valid authentication can exploit this flaw remotely by manipulating a path input that is used in file operations without proper sanitization. The lack of path validation allows traversal outside the intended directory. The attack complexity is low, and no user interaction is required.

Impact

Successful exploitation leads to information disclosure in the context of the service account. An attacker could read sensitive files such as configuration data, database backups, or other confidential information stored on the server, potentially leading to further compromise.

Mitigation

Allegra has addressed this vulnerability in version 8.1.6 and the corresponding 7.5.2.76 release, as noted in the vendor's release notes [2]. Users are advised to update to these or later versions and clear their browser cache after upgrading.

References
  1. ZDI-25-951
  2. Release Notes for Allegra 8.1.6 and 7.5.2.76

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.