CVE-2026-25069
SunFounder Pironman Dashboard <= 1.3.13 Path Traversal Arbitrary File Read/Deletion
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.3EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
31 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
SunFounder · Pironman Dashboard (pm_dashboard)References
https://gist.github.com/chapochapo/5db8702ede862af5c59a28b5d5a0aba3https://github.com/sunfounder/pm_dashboardhttps://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L440https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L62https://www.vulncheck.com/advisories/sunfounder-pironman-dashboard-path-traversal-arbitrary-file-read-deletion