{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-11607","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-10-10T13:35:53.554Z","datePublished":"2025-10-11T16:32:05.833Z","dateUpdated":"2026-02-24T06:59:23.650Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2026-02-24T06:59:23.650Z"},"title":"harry0703 MoneyPrinterTurbo API Endpoint music.py upload_music path traversal","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-22","lang":"en","description":"Path Traversal"}]}],"affected":[{"vendor":"harry0703","product":"MoneyPrinterTurbo","versions":[{"version":"1.2.0","status":"affected"},{"version":"1.2.1","status":"affected"},{"version":"1.2.2","status":"affected"},{"version":"1.2.3","status":"affected"},{"version":"1.2.4","status":"affected"},{"version":"1.2.5","status":"affected"},{"version":"1.2.6","status":"affected"}],"cpes":["cpe:2.3:a:harry0703:moneyprinterturbo:*:*:*:*:*:*:*:*"],"modules":["API Endpoint"]}],"descriptions":[{"lang":"en","value":"A weakness has been identified in harry0703 MoneyPrinterTurbo up to 1.2.6. The impacted element is the function upload_music of the file app/controllers/v1/music.py of the component API Endpoint. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}],"timeline":[{"time":"2025-10-10T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-10-10T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-11-21T17:07:57.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"xuanSAMA (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.327929","name":"VDB-327929 | harry0703 MoneyPrinterTurbo API Endpoint music.py upload_music path traversal","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.327929","name":"VDB-327929 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.672550","name":"Submit #672550 | MoneyPrinterTurbo GitHub Repository MoneyPrinterTurbo 1.2.6 Arbitrary File Write","tags":["third-party-advisory"]},{"url":"https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22","tags":["exploit"]}]},"adp":[{"references":[{"url":"https://www.notion.so/Arbitrary-File-Write-Vulnerability-in-MoneyPrinterTurbo-1-2-6-288014c4d9ca809bb411e4fe875d1e22","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-14T14:48:32.873039Z","id":"CVE-2025-11607","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-14T14:54:37.776Z"}}]}}