Home / Vulnerability Intelligence / CVE-2025-41368

CVE-2025-41368 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 26, 2026

Small HTTP Server - Remote Code Execution

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Small HTTP Server 3.06.36 contains an unquoted service path vulnerability caused by improper quoting of the executable path, letting local attackers execute arbitrary code by placing malicious executables in higher priority directories, exploit requires local access.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 2.2%(Probability of exploitation in next 30 days)

Impact

Local attackers can execute arbitrary code, leading to unauthorized system access or service disruption.

Mitigation

Properly quote the service path and apply the latest security patches.

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-small-http-server-smallsrv

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2025-41368 - High (8.1) Problem in the Small HTTP Server v3.06.36 service. An authenticated path traversal vulnerability in '/' allows remote users to bypass the intended restrictions of SecurityManager and display any file if they have the appropriate permissions outsid... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-41368/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-41368
Severity: High
CVSS Score: 8.1
Type: undefined
Status: confirmed
EPSS: 2.2%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

2.2%Probability of exploitation in the next 30 days