The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
CVE ID: CVE-2025-25223
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Vendor: LuxSoft
Product: The LuxCal Web Calendar
EPSS Score: 0.06% (probability of being exploited)
EPSS Percentile: 16.1% (scored less or equal to compared to others)
EPSS Date: 2025-03-19 (when was this score calculated)