Aggregates CVE and security vulnerability intelligence across all pydio-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and vendor risk path handling and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-40124 | Pydio Core <= 8.2.5 is vulnerable to Cross Site Scripting (XSS) via the New URL Bookmark feature. | [email protected] | 5.4 | 0.28% | 2025-04-17 | 2025-06-25 |
| CVE-2023-32751 | Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript [1]. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScri | [email protected] | 5.4 | 1.36% | 2023-06-08 | 2025-01-06 |
| CVE-2023-32750 | Pydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells. | [email protected] | 6.5 | 11.93% | 2023-06-08 | 2025-01-06 |
| CVE-2023-32749 | Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted. | [email protected] | 8.8 | 55.61% | 2023-06-08 | 2025-01-06 |
| CVE-2021-41324 | Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete). | [email protected] | 6.5 | 0.37% | 2021-09-30 | 2024-11-21 |
| CVE-2021-41325 | Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.) | [email protected] | 6.5 | 0.21% | 2021-09-30 | 2024-11-21 |
| CVE-2021-41323 | Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter. | [email protected] | 6.5 | 0.28% | 2021-09-30 | 2024-11-21 |
| CVE-2020-12850 | The following vulnerability applies only to the Pydio Cells Enterprise OVF version 2.0.4. Prior versions of the Pydio Cells Enterprise OVF (such as version 2.0.3) have a looser policy restriction allowing the “pydio” user to execute any privileged command using sudo. In version 2.0.4 of the appliance, the user pydio is responsible for running all the services and binaries that are contained in the Pydio Cells web application package, such as mysqld, cells, among others. This user has privileges | [email protected] | 7.0 | 0.08% | 2020-06-11 | 2024-11-21 |
| CVE-2020-12849 | Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user. | [email protected] | 5.4 | 0.63% | 2020-06-05 | 2024-11-21 |
| CVE-2020-12848 | In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden shared user account is created in the backend with a random username. An anonymous user that obtains a valid public link can get the associated hidden account username and password and proceed to login to the web application. Once logged into the web application with the hidden user account, some actions that were not available with the public share link can now be performed. | [email protected] | 5.4 | 0.51% | 2020-06-05 | 2024-11-21 |
| CVE-2020-12853 | Pydio Cells 2.0.4 allows XSS. A malicious user can either upload or create a new file that contains potentially malicious HTML and JavaScript code to personal folders or accessible cells. | [email protected] | 6.1 | 0.24% | 2020-06-04 | 2024-11-21 |
| CVE-2020-12852 | The update feature for Pydio Cells 2.0.4 allows an administrator user to set a custom update URL and the public RSA key used to validate the downloaded update package. The update process involves downloading the updated binary file from a URL indicated in the update server response, validating its checksum and signature with the provided public key and finally replacing the current application binary. To complete the update process, the application’s service or appliance needs to be restarted. A | [email protected] | 6.8 | 1.41% | 2020-06-04 | 2024-11-21 |
| CVE-2020-12851 | Pydio Cells 2.0.4 allows an authenticated user to write or overwrite existing files in another user’s personal and cells folders (repositories) by uploading a custom generated ZIP file and leveraging the file extraction feature present in the web application. The extracted files will be placed in the targeted user folders. | [email protected] | 8.1 | 1.24% | 2020-06-04 | 2024-11-21 |
| CVE-2020-12847 | Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console” that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the application’s mailer configuration. It is possible to configure a few engines to be used by the mailer application to send emails. If the user selects the “sendmail” option as the default one, the web application offers to edit the full path where | [email protected] | 7.2 | 1.49% | 2020-06-04 | 2024-11-21 |
| CVE-2019-20453 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/uploader.http/HttpDownload.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | [email protected] | 8.8 | 4.37% | 2020-03-17 | 2024-11-21 |
| CVE-2019-20452 | A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise before 8.2.4. A PHP object injection is present in the page plugins/core.access/src/RecycleBinManager.php. An authenticated user with basic privileges can inject objects and achieve remote code execution. | [email protected] | 8.8 | 4.37% | 2020-03-17 | 2024-11-21 |
| CVE-2013-4267 | Ajaxeplorer before 5.0.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) archive_name parameter to the Power FS module (plugins/action.powerfs/class.PowerFSController.php), a (2) file name to the getTrustSizeOnFileSystem function in the File System (Standard) module (plugins/access.fs/class.fsAccessWrapper.php), or the (3) revision parameter to the Subversion Repository module (plugins/meta.svn/class.SvnManager.php). | [email protected] | 9.8 | 7.06% | 2020-02-11 | 2024-11-21 |
| CVE-2019-15033 | Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring. | [email protected] | 7.7 | 0.38% | 2019-09-19 | 2024-11-21 |
| CVE-2019-15032 | Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information. | [email protected] | 5.3 | 0.44% | 2019-09-19 | 2024-11-21 |
| CVE-2019-12903 | Pydio Cells before 1.5.0, when supplied with a Name field in an unexpected Unicode format, fails to handle this and includes the database column/table name as pert of the error message, exposing sensitive information. | [email protected] | 4.3 | 0.23% | 2019-06-20 | 2024-11-21 |