PatchSiren cyber security CVE debrief
CVE-2026-45225 heymrun CVE debrief
CVE-2026-45225 is a path traversal vulnerability in the file upload endpoint of Heym before version 0.0.21. This vulnerability allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. The unvalidated filename parameter in the upload_file() handler can be exploited to bypass path restrictions and write, read, or delete files outside the intended storage directory. Affected product deployments should be reviewed for exposure.
- Vendor
- heymrun
- Product
- heym
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-07-14
Who should care
Users of Heym before version 0.0.21 should be aware of this vulnerability and take immediate action to update to a patched version. Authenticated users of the affected versions are at risk of being exploited. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and implement necessary mitigations.
Technical summary
The vulnerability exists in the file upload endpoint of Heym, where the filename parameter is not properly validated. This allows an attacker to supply a filename with traversal sequences, potentially leading to writing, reading, or deleting files outside the intended directory. The CVSS score for this vulnerability is 7.2, indicating a high severity. Affected product context suggests that authenticated users can exploit this vulnerability.
Defensive priority
High
Recommended defensive actions
- Update Heym to version 0.0.21 or later
- Restrict access to the file upload endpoint
- Monitor for suspicious file upload activity
- Implement additional security measures such as file upload validation and sanitization
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-05-12T22:16:37.990Z and last modified on 2026-07-14T21:16:55.190Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify affected product deployments and review official advisories.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-12T22:16:37.990Z and has not been modified since then. The NVD entry is currently Deferred.