Primary

Context

Heym Path Traversal Vulnerability in File Upload Endpoint

Vulnerability

A path traversal vulnerability has been identified in Heym versions prior to 0.0.21. This vulnerability allows authenticated users to upload files to arbitrary locations by exploiting the file upload endpoint. Attackers can manipulate the filename parameter with traversal sequences to bypass path restrictions, potentially leading to unauthorized file access or modification outside the designated storage directory.

Impact

Exploitation of this vulnerability allows for path traversal, enabling attackers to write, read, or delete files outside the intended storage directory.

Reproduction

The vulnerability can be reproduced by uploading a file through the file upload endpoint while including traversal sequences in the filename. This can be done by, for example, using a multipart filename that navigates up the directory structure, such as '../../../poc-owned-by-attacker.txt'.

Remediation

Users are advised to update to Heym version 0.0.21 or later, where this vulnerability has been fixed.

Added: May 12, 2026, 10:22 PM

Updated: May 12, 2026, 10:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

8.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

8.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Heym Path Traversal Vulnerability in File Upload Endpoint

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Heym

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating