CVE-2025-26792 - Published Folders

We’ve had a vulnerability flagged up by our information security team with the published folders function. (Was flagged when I tried to download the 5.4 nightly build but apparently affects current versions)

Summary: Version 4.5.x and 5.x.x are vulnerable to an information disclosure through directory traversal when using PowerShell Universal published folders. Systems that do not have this feature configured, are not affected. If authenticated published folders are configured, the attacker will need to be authenticated.

Score: 5.4

Severity: Medium

Are there any plans to mitigate this in future versions?

In the meantime is there a way to disable the published folders function entirely to prevent any issues?

Thanks

That CVE number is not in use (it’s still a reserved number). Did you mean CVE-2024-26792, perhaps?

Thats what I was given by our infosec guy, after googling in myself though I think they got the info from CVEs | PowerShell Universal

This was the number provided to us by MITRE. This issue should be resolved in the most recent version of 4 and 5 so I’d be curious on how they are reproducing it. We have a pretty extensive set of automated tests around this.

If you have no published folders configured, you won’t have this issue.

Thanks so much Exactly the response that I was looking for!

Interesting. MITRE’s site is where I looked it up and it shows it’s not in use yet.

image