CVE-2025-6736 – juzaweb/cms

Package

Manager: composer
Name: juzaweb/cms
Vulnerable Version: >=0 <=3.4.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.0005 pctl0.14994

Details

JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing certain components A vulnerability classified as critical was found in juzaweb CMS 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/theme/install of the component Add New Themes Page. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

Created: 2025-06-27T00:31:14Z
Modified: 2025-07-11T20:22:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mrph-pjv2-34f4/GHSA-mrph-pjv2-34f4.json
CWE IDs: ["CWE-266"]
Alternative ID: GHSA-mrph-pjv2-34f4
Finding: F005
Auto approve: 1