CVE-2009-2265

Exp

Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.

Published: 2009-07-05 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-2265 is rated High Exploit Risk (79.8/100): CVSS High severity, with high exploitation likelihood (EPSS 92.20%, 100th percentile). 2 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2009-2265

EDB-ID Source Kind Published Link
50057 exploit_db edb 2021-06-24 Exploit-DB ↗
16788 exploit_db edb 2010-11-24 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2009-2265

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-10 92.34% 92.20% -0.14%
2 2026-05-20 92.76% 92.34% -0.42%
3 2026-04-21 92.76%

Full EPSS history (24 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-2265

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2009-2265

OS Trackers for CVE-2009-2265

vendor priority summary link
redhat high https://access.redhat.com/security/cve/CVE-2009-2265
ubuntu low CVE-2009-2265 low priority: Ubuntu including 2 source packages (fckeditor, moin), 20 status rows across 10 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): not-affected 14, ignored 2, released 2, DNE 1, needs-triage 1. https://ubuntu.com/security/CVE-2009-2265

Affected software / configurations for CVE-2009-2265

Vendor Product Version Raw CPE
fckeditor fckeditor <= 2.6.4 cpe:2.3:a:fckeditor:fckeditor:*:*:*:*:*:*:*:*
fckeditor fckeditor 2.0 cpe:2.3:a:fckeditor:fckeditor:2.0:*:*:*:*:*:*:*
fckeditor fckeditor 2.0_fc cpe:2.3:a:fckeditor:fckeditor:2.0_fc:*:*:*:*:*:*:*
fckeditor fckeditor 2.0_rc2 cpe:2.3:a:fckeditor:fckeditor:2.0_rc2:*:*:*:*:*:*:*
fckeditor fckeditor 2.0rc2 cpe:2.3:a:fckeditor:fckeditor:2.0rc2:*:*:*:*:*:*:*
fckeditor fckeditor 2.0rc3 cpe:2.3:a:fckeditor:fckeditor:2.0rc3:*:*:*:*:*:*:*
fckeditor fckeditor 2.1 cpe:2.3:a:fckeditor:fckeditor:2.1:*:*:*:*:*:*:*
fckeditor fckeditor 2.1.1 cpe:2.3:a:fckeditor:fckeditor:2.1.1:*:*:*:*:*:*:*
fckeditor fckeditor 2.2 cpe:2.3:a:fckeditor:fckeditor:2.2:*:*:*:*:*:*:*
fckeditor fckeditor 2.3 cpe:2.3:a:fckeditor:fckeditor:2.3:*:*:*:*:*:*:*
fckeditor fckeditor 2.3 cpe:2.3:a:fckeditor:fckeditor:2.3:beta:*:*:*:*:*:*
fckeditor fckeditor 2.3.1 cpe:2.3:a:fckeditor:fckeditor:2.3.1:*:*:*:*:*:*:*
fckeditor fckeditor 2.3.2 cpe:2.3:a:fckeditor:fckeditor:2.3.2:*:*:*:*:*:*:*
fckeditor fckeditor 2.3.3 cpe:2.3:a:fckeditor:fckeditor:2.3.3:*:*:*:*:*:*:*
fckeditor fckeditor 2.4 cpe:2.3:a:fckeditor:fckeditor:2.4:*:*:*:*:*:*:*
fckeditor fckeditor 2.4.1 cpe:2.3:a:fckeditor:fckeditor:2.4.1:*:*:*:*:*:*:*
fckeditor fckeditor 2.4.2 cpe:2.3:a:fckeditor:fckeditor:2.4.2:*:*:*:*:*:*:*
fckeditor fckeditor 2.4.3 cpe:2.3:a:fckeditor:fckeditor:2.4.3:*:*:*:*:*:*:*
fckeditor fckeditor 2.5 cpe:2.3:a:fckeditor:fckeditor:2.5:*:*:*:*:*:*:*
fckeditor fckeditor 2.5 cpe:2.3:a:fckeditor:fckeditor:2.5:beta:*:*:*:*:*:*
fckeditor fckeditor 2.5.1 cpe:2.3:a:fckeditor:fckeditor:2.5.1:*:*:*:*:*:*:*
fckeditor fckeditor 2.6 cpe:2.3:a:fckeditor:fckeditor:2.6:*:*:*:*:*:*:*
fckeditor fckeditor 2.6.1 cpe:2.3:a:fckeditor:fckeditor:2.6.1:*:*:*:*:*:*:*
fckeditor fckeditor 2.6.2 cpe:2.3:a:fckeditor:fckeditor:2.6.2:*:*:*:*:*:*:*
fckeditor fckeditor 2.6.3 cpe:2.3:a:fckeditor:fckeditor:2.6.3:*:*:*:*:*:*:*
fckeditor fckeditor 2.6.3 cpe:2.3:a:fckeditor:fckeditor:2.6.3:beta:*:*:*:*:*:*
fckeditor fckeditor 2.6.4 cpe:2.3:a:fckeditor:fckeditor:2.6.4:beta:*:*:*:*:*:*

References for CVE-2009-2265

URL Tags
http://isc.sans.org/diary.html?storyid=6724
http://mail.zope.org/pipermail/zope-dev/2009-July/037195.html
http://packetstormsecurity.com/files/163271/Adobe-ColdFusion-8-Remote-Command-Execution.html
http://secunia.com/advisories/35833
http://secunia.com/advisories/35909
http://sourceforge.net/project/shownotes.php?release_id=695430
http://www.debian.org/security/2009/dsa-1836
http://www.ocert.org/advisories/ocert-2009-007.html Patch
http://www.securityfocus.com/archive/1/504721/100/0/threaded
http://www.securitytracker.com/id?1022513
http://www.vupen.com/english/advisories/2009/1813
http://www.vupen.com/english/advisories/2009/1825
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00710.html
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00750.html
cvelogic Threat Intelligence