CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-12866: Local File Inclusion in netease-youdao/qanything

7.5 CVSS

Description

A local file inclusion vulnerability exists in netease-youdao/qanything version v2.0.0. This vulnerability allows an attacker to read arbitrary files on the file system, which can lead to remote code execution by retrieving private SSH keys, reading private files, source code, and configuration files.

Classification

CVE ID: CVE-2024-12866

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected Products

Vendor: netease-youdao

Product: netease-youdao/qanything

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.16% (probability of being exploited)

EPSS Percentile: 38.42% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-12866
https://huntr.com/bounties/c23da7c7-a226-40a2-83db-6a8ab1b2ef64

Timeline

2025-03-20 11:40:29 UTC
CVE

Local File Inclusion in netease-youdao/qanything