Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10546

phpmussel/frontend is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Aug 13, 2025

55

Medium Risk

This Affects:

phpphpmussel/frontend
3.0.0 - 3.6.2
Fixed in 3.7.0
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to Path Traversal via getAssetPath due to inadequate sanitization of user-controlled GET parameters passed to getAssetPath calls during frontend asset rendering. Attackers can exploit this by manipulating input fields to inject directory traversal sequences, tricking the system into accessing or exposing files outside the intended asset directory. Successful exploitation allows unauthorized reading of sensitive server files, potentially leading to information disclosure, authentication bypass, or server compromise.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

phpmussel/frontend is vulnerable to Path Traversal in versions 3.0.0 - 3.6.2.

How to fix this

Upgrade the phpmussel/frontend library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done