Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
Apache HTTP Server: Sensitive Files Bypass via Unicode Normalization
CVE-2025-48567
ASB-A-377888957
Summary
Some Apache HTTP Server users may be able to access restricted files on the server by exploiting a flaw in the way the server handles certain types of file paths. This could potentially allow an attacker to access sensitive information without needing additional permissions. To protect against this, users should update their Apache HTTP Server to the latest version.
What to do
- Update google platform/packages/providers/mediaprovider to version 16-qpr2-next:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 15:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 16:2026-03-01.
- Update google platform/packages/providers/mediaprovider to version 14:2026-03-01.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| android | 14.0 | – | |
| android | 15.0 | – | |
| android | 16.0 | – | |
| platform/packages/providers/mediaprovider | > 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01 | 16-qpr2-next:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 15:0 , <= 15:2026-03-01 | 15:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 16:0 , <= 16:2026-03-01 | 16:2026-03-01 | |
| platform/packages/providers/mediaprovider | > 14:0 , <= 14:2026-03-01 | 14:2026-03-01 |
Original title
In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalat...
Original description
In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
nvd CVSS3.1
7.8
Vulnerability type
CWE-22
Path Traversal
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026