CVE-2025-59099

Severity CVSS v4.0:

HIGH

Type:

Unavailable / Other

Publication date:

26/01/2026

Last modified:

26/01/2026

Description

The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication. <br /> <br /> Hence, it is possible to retrieve all files stored on the file system, including the SQLite database Database.sq3, containing badge information and the corresponding PIN codes. Additionally, when trying to access certain files, the web server crashes and becomes unreachable for about 60 seconds. This can be abused to continuously send the request and cause denial of service.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 8.80 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): High
Integrity (VI): None
Availability (VA): Low
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0

8.80

Severity 4.0

HIGH

CVE-2025-59099

Description

Impact

References to Advisories, Solutions, and Tools