CVE-2025-66410

CRITICAL

Gin-vue-admin <2.8.6 - File Deletion

Title source: llm

Description

Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-jrhg-82w2-vvj7

Patch x_refsource_misc

https://github.com/flipped-aurora/gin-vue-admin/commit/ee8d8d7e04d9c38a35a6969f20e75213e84f57c6

View Patch ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0050

EPSS Percentile 38.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

flipped-aurora/gin-vue-admin 0 - 0.9.1-0.20251201084432-ee8d8d7e04d9Go

gin-vue-admin_project/gin-vue-admin < 2.8.6

Published Dec 01, 2025

Tracked Since Feb 18, 2026