CVE-2025-5880

MEDIUM

Whistle 2.9.98 - Path Traversal via /cgi-bin/sessions/get-temp-file filename Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-5880. PoCs published by yacine-rm.

AI-analyzed exploit summary This repository contains a functional Python-based proof-of-concept exploit for CVE-2025-5880, an unauthenticated path traversal vulnerability in Whistle v2.9.98. The exploit targets the `/cgi-bin/sessions/get-temp-file` endpoint, allowing arbitrary file reads via the unsanitized `filename` parameter.

Description

A vulnerability has been found in Whistle 2.9.98 and classified as problematic. This vulnerability affects unknown code of the file /cgi-bin/sessions/get-temp-file. The manipulation of the argument filename leads to path traversal. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

nomisec WORKING POC
by yacine-rm · poc
https://github.com/yacine-rm/CVE-2025-5880-PoC

This repository contains a functional Python-based proof-of-concept exploit for CVE-2025-5880, an unauthenticated path traversal vulnerability in Whistle v2.9.98. The exploit targets the `/cgi-bin/sessions/get-temp-file` endpoint, allowing arbitrary file reads via the unsanitized `filename` parameter.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Whistle ≤ 2.9.98
No auth needed
Prerequisites: Network access to the target Whistle instance
devstral-2 · analyzed Apr 24, 2026 Full analysis →

References (3)

Core 3
Core References
Permissions Required, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.311638
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.311638
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.582867

Scores

CVSS v3 4.3
EPSS 0.0039
EPSS Percentile 30.9%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (1)
n/a/Whistle 2.9.98
Published Jun 09, 2025
Tracked Since Feb 18, 2026