High severity7.6NVD Advisory· Published May 12, 2026· Updated May 14, 2026

CVE-2026-45225

Description

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.

Affected products

Heymrun/Heymreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/heymrun/heym/commit/835843e6d2bf7d018cbb8e50f28f0426eaa20c84nvd
github.com/heymrun/heym/pull/92nvd
github.com/heymrun/heym/releases/tag/v0.0.21nvd
www.vulncheck.com/advisories/heym-path-traversal-file-upload-via-upload-filenvd

News mentions

No linked articles in our index yet.

cvss	0.494
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000