CVE-2024-12866

High CVSS 7.5

Overview

A local file inclusion vulnerability exists in netease-youdao/qanything version v2.0.0. This vulnerability allows an attacker to read arbitrary files on the file system, which can lead to remote code execution by retrieving private SSH keys, reading private files, source code, and configuration files.

CWE: CWE-22 Published: 2025-03-20T10:15:30.840

Risk analysis

This vulnerability is rated 🟠 HIGH.

CVSS: 7.5 (HIGH)
Detected tags: lfi, rce (tag impact: VERY HIGH)

Recommended actions:

Normalize paths, use allowlists; block user-controlled file paths.
Patch/upgrade immediately (remote code execution).
Reduce exposure (WAF/segmentation), minimize attack surface.

Overview

Recommended tools

Tags