{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11607", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-10-10T13:35:53.554Z", "datePublished": "2025-10-11T16:32:05.833Z", "dateUpdated": "2025-10-14T14:54:37.776Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-11T16:32:05.833Z"}, "title": "harry0703 MoneyPrinterTurbo API Endpoint music.py upload_music path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "harry0703", "product": "MoneyPrinterTurbo", "versions": [{"version": "1.2.0", "status": "affected"}, {"version": "1.2.1", "status": "affected"}, {"version": "1.2.2", "status": "affected"}, {"version": "1.2.3", "status": "affected"}, {"version": "1.2.4", "status": "affected"}, {"version": "1.2.5", "status": "affected"}, {"version": "1.2.6", "status": "affected"}], "modules": ["API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function upload_music of the file app/controllers/v1/music.py of the component API Endpoint. Executing manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been made available to the public and could be exploited."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in harry0703 MoneyPrinterTurbo up to 1.2.6 entdeckt. Davon betroffen ist die Funktion upload_music der Datei app/controllers/v1/music.py der Komponente API Endpoint. Durch das Manipulieren des Arguments File mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-10-10T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-10-10T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-10-10T15:40:57.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "xuanSAMA (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.327929", "name": "VDB-327929 | harry0703 MoneyPrinterTurbo API Endpoint music.py upload_music path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.327929", "name": "VDB-327929 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.672550", "name": "Submit #672550 | MoneyPrinterTurbo GitHub Repository MoneyPrinterTurbo 1.2.6 Arbitrary File Write", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22", "tags": ["exploit"]}]}, "adp": [{"references": [{"url": "https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-14T14:48:32.873039Z", "id": "CVE-2025-11607", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T14:54:37.776Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11607", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-14T14:48:32.873039Z"}}}], "references": [{"url": "https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T14:48:44.052Z"}}], "cna": {"title": "harry0703 MoneyPrinterTurbo API Endpoint music.py upload_music path traversal", "credits": [{"lang": "en", "type": "reporter", "value": "xuanSAMA (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "harry0703", "modules": ["API Endpoint"], "product": "MoneyPrinterTurbo", "versions": [{"status": "affected", "version": "1.2.0"}, {"status": "affected", "version": "1.2.1"}, {"status": "affected", "version": "1.2.2"}, {"status": "affected", "version": "1.2.3"}, {"status": "affected", "version": "1.2.4"}, {"status": "affected", "version": "1.2.5"}, {"status": "affected", "version": "1.2.6"}]}], "timeline": [{"lang": "en", "time": "2025-10-10T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-10-10T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-10-10T15:40:57.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.327929", "name": "VDB-327929 | harry0703 MoneyPrinterTurbo API Endpoint music.py upload_music path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.327929", "name": "VDB-327929 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.672550", "name": "Submit #672550 | MoneyPrinterTurbo GitHub Repository MoneyPrinterTurbo 1.2.6 Arbitrary File Write", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function upload_music of the file app/controllers/v1/music.py of the component API Endpoint. Executing manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been made available to the public and could be exploited."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in harry0703 MoneyPrinterTurbo up to 1.2.6 entdeckt. Davon betroffen ist die Funktion upload_music der Datei app/controllers/v1/music.py der Komponente API Endpoint. Durch das Manipulieren des Arguments File mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-11T16:32:05.833Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11607", "state": "PUBLISHED", "dateUpdated": "2025-10-14T14:54:37.776Z", "dateReserved": "2025-10-10T13:35:53.554Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-10-11T16:32:05.833Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function upload_music of the file app/controllers/v1/music.py of the component API Endpoint. Executing manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been made available to the public and could be exploited."}], "id": "CVE-2025-11607", "lastModified": "2025-10-14T19:36:59.730", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-10-11T17:15:37.513", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.327929"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.327929"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.672550"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}