Rocket TRUfusion Enterprise allows authenticated users to upload files to arbitrary locations

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.4

Rocket TRUfusion Enterprise allows authenticated users to upload files to arbitrary locations

CVE-2025-59793

Summary

The Rocket TRUfusion Enterprise software allows authenticated users to upload files to any location on the system, which could allow hackers to install malicious code. This is a serious security risk because it could let hackers take control of your system. To mitigate this issue, Rocket should be patched to the latest version.

Original title

Original description

Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files to arbitrary local filesystem locations and may subsequently lead to remote code execution.

Vulnerability type

CWE-35

Published: 17 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026