CVE-2025-47788 Information

Description

Atheos is a self-hosted browser-based cloud IDE. Prior to v602 similar to GHSA-rgjm-6p59-537v/CVE-2025-22152 the $target parameter in /controller.php was not properly validated which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue.

Reference

https://github.com/Atheos/Atheos/commit/97fe76871578d2011ebe9281f3a005c5df85162b https://github.com/Atheos/Atheos/security/advisories/GHSA-x9vw-6vfx-7rx5