CVE-2022-50890
Unknown Unknown - Not Provided
Path Traversal in Owlfiles 12.0.1 HTTP Server Allows Directory Access

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: VulnCheck

Description
Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2022-50890
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
skyjos owlfiles_file_manager 12.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50890 is a path traversal vulnerability in Owlfiles File Manager version 12.0.1. It exists in the app's built-in HTTP server, which improperly handles file path inputs. Attackers can craft malicious GET requests containing directory traversal sequences (like '../../../../../../') to access restricted system directories and sensitive files on the device, such as system folders and configuration files. This happens because the server does not properly validate or restrict pathname access, allowing unauthorized browsing and file reading outside the intended root directory. [1, 4]

Impact Analysis

This vulnerability can allow attackers to access sensitive system directories and files on your device without authorization. They can retrieve critical configuration files, browse internal file structures, and potentially gain information that could be used for further attacks. Additionally, related vulnerabilities in the app's HTTP and FTP servers can expose system directories and enable execution of malicious scripts via cross-site scripting (XSS). Overall, it poses significant security risks by exposing private data and system information to attackers remotely over the network. [1, 4]

Detection Guidance

This vulnerability can be detected by sending crafted GET requests to the Owlfiles File Manager's built-in HTTP server to check for directory traversal. For example, sending a GET request like `GET /../../../../../../../../../../../../../../../System/ HTTP/1.1` and observing if it returns directory listings of sensitive system folders indicates the vulnerability. Similarly, requesting files such as `GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1` can confirm unauthorized file access. On the FTP server, commands like `cd ../../../../../../../../../` followed by `ls` can be used to check if directory traversal is possible outside the FTP root. [1]

Mitigation Strategies

Immediate steps to mitigate this vulnerability include disabling or restricting access to the built-in HTTP and FTP servers of Owlfiles File Manager 12.0.1 to prevent exploitation via crafted GET requests or FTP commands. Additionally, avoid exposing the application to untrusted networks until a patch or update addressing the path traversal and related vulnerabilities is applied. Monitoring network traffic for suspicious directory traversal attempts and applying any available security updates from the developer are also recommended. [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart