CVE-2026-25069
Unknown Unknown - Not Provided
Path Traversal in SunFounder pm_dashboard Allows File Deletion

Publication date: 2026-02-01

Last updated on: 2026-02-01

Assigner: VulnCheck

Description
SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-01
Last Modified
2026-02-01
Generated
2026-06-16
AI Q&A
2026-02-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25069
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sunfounder pm_dashboard to 1.3.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25069 is a path traversal vulnerability in SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and earlier. It exists in the log file API endpoints where an unauthenticated remote attacker can supply traversal sequences via the filename parameter. This allows the attacker to read and delete arbitrary files on the system by bypassing pathname restrictions intended to confine file operations to a restricted directory. [3]

Impact Analysis

Exploitation of this vulnerability can lead to disclosure of sensitive information, deletion of critical system files, data loss, potential system compromise, or denial of service. Since the attacker does not need to be authenticated, the risk is high and can severely impact system integrity and availability. [3]

Detection Guidance

Detection can involve monitoring HTTP requests to the log file API endpoints for suspicious usage of the 'filename' parameter containing path traversal sequences such as '../'. Network traffic inspection tools or web server logs can be used to identify such attempts. For example, using grep on web server logs: grep -E "filename=.*\.\./" /var/log/nginx/access.log or using tools like tcpdump or Wireshark to filter HTTP requests with suspicious parameters. Additionally, checking for unexpected file deletions or access in the system logs may indicate exploitation attempts. [3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable log file API endpoints, applying input validation or sanitization on the 'filename' parameter to prevent path traversal sequences, and updating or patching the pm_dashboard application to a version that fixes this vulnerability. If an update is not available, consider disabling the affected API endpoints or deploying web application firewall (WAF) rules to block requests containing path traversal patterns. Monitoring for suspicious activity and backing up critical data are also recommended to reduce impact. [3]

Compliance Impact

The vulnerability allows unauthenticated remote attackers to read and delete arbitrary files, potentially disclosing sensitive information and causing data loss or system compromise. Such unauthorized disclosure and loss of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity and availability. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart