CVE-2025-11438
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11438
EUVD
EUVD-2025-31837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jhumanj opnform to 1.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11438 is an authorization vulnerability in JhumanJ OpnForm up to version 1.9.3, specifically affecting the /custom-domains API endpoint. It occurs because the system fails to properly check if a user is authorized to perform certain actions, allowing a remote attacker with low privileges to bypass these checks and modify critical settings that should be restricted. This flaw is classified under improper authorization (CWE-862) and can impact the confidentiality, integrity, and availability of the system. [1, 2]

Impact Analysis

This vulnerability allows a low-privileged user to modify the custom domain configuration of an OpnForm instance without proper authorization. Such unauthorized modifications can compromise the integrity and security of the application, potentially leading to unauthorized access, data manipulation, or disruption of services. [1, 2]

Detection Guidance

Detection can involve monitoring API requests to the /custom-domains endpoint for unauthorized access attempts, especially from low-privileged users performing modification actions. Since the vulnerability allows bypassing authorization remotely, inspecting logs for unexpected changes or access patterns to this endpoint is recommended. Specific commands are not provided in the resources, but using tools like curl or HTTP request log analysis to check for unauthorized POST or PUT requests to /custom-domains could help detect exploitation attempts. [1, 2]

Mitigation Strategies

The immediate mitigation step is to apply the patch identified by commit beb153ce52dceb971c1518f98333328c95f1ba20, which fixes the authorization issue in the /custom-domains API endpoint. Until the patch is applied, restrict access to the vulnerable API endpoint to trusted users only and monitor for suspicious activity. Following best practices, ensure that only authorized users have permissions to modify custom domain configurations. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart