CVE-2025-49089

Description

wangxutech MoneyPrinterTurbo 1.2.6 allows path traversal via /api/v1/download/ URIs such as /api/v1/download//etc/passwd.

How to fix CVE-2025-49089

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• PyPI/moneyprinterturbo—no fix listed

Is CVE-2025-49089 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 1.2.6

CVSS scores

References (4)

• PATCHgithub.com/harry0703/MoneyPrinterTurbo
• WEBgist.github.com/Theresasu1/3a9ced1f3d8208cc9f99ce34057cf681
• WEBmoneyprinterturbo.net
• WEBwww.wangxutech.com