Critical severity9.8NVD Advisory· Published Jan 8, 2025· Updated Apr 15, 2026

CVE-2025-22137

Description

Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST requests. The issue has been patched in version 1.4.0.

Patches

6cf5c66fe2ed

https://github.com/stonith404/pingvin-sharevia osv

commit

c52ec7192080

https://github.com/stonith404/pingvin-sharevia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/stonith404/pingvin-share/commit/6cf5c66fe2eda1e0a525edf7440d047fe2f0e35bnvd
github.com/stonith404/pingvin-share/commit/c52ec7192080c402bd804e69be93dd88cc7c5c70nvd
github.com/stonith404/pingvin-share/security/advisories/GHSA-rjwx-p44f-mcrvnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000