CVE-2026-25559
Description
OpenBullet2 0.3.2 allows authenticated users to read, write, and delete arbitrary files via path traversal, potentially leading to RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenBullet2 0.3.2 allows authenticated users to read, write, and delete arbitrary files via path traversal, potentially leading to RCE.
Vulnerability
OpenBullet2 versions prior to and including 0.3.2 suffer from a path traversal vulnerability within the wordlist endpoint. This flaw allows authenticated attackers to read, write, and delete arbitrary files by providing unsanitized absolute paths to the upload handler and wordlist functions. [1]
Exploitation
An authenticated attacker can exploit this vulnerability by crafting malicious requests to the wordlist endpoint. By supplying unsanitized absolute paths, the attacker can manipulate file operations. Chaining file write and delete primitives allows for the modification of critical system files, such as /etc/passwd, to achieve remote code execution. [1]
Impact
Successful exploitation grants an attacker the ability to perform arbitrary file read, write, and delete operations. By manipulating critical system files, attackers can achieve remote code execution with the privileges of the running application, which by default operates as root, leading to full system compromise. [1]
Mitigation
OpenBullet2 versions 0.3.2 and earlier are affected. A patch is expected, but no fixed version or release date has been disclosed in the available references. Users are advised to monitor for updates. [1]
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <0.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.