CVE-2025-11442
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11442
EUVD
EUVD-2025-31835
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jhumanj opnform to 1.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site request forgery (CSRF) flaw in JhumanJ OpnForm up to version 1.9.3, specifically in an unknown function of the API Endpoint component. Although the API requires authentication via Authorization Bearer Tokens (JWT), which normally prevents classic CSRF attacks, an attacker could exploit this if they manage to obtain the JWT through other means such as cross-site scripting (XSS). However, XSS vulnerabilities have been mitigated, making initial access difficult. The vulnerability can be exploited remotely, and a public exploit is available.

Impact Analysis

The vulnerability could allow an attacker to perform unauthorized actions on behalf of an authenticated user by exploiting the CSRF flaw if they manage to obtain the user's JWT token. This could lead to limited integrity impact, such as unauthorized changes or actions within the application, but it does not affect confidentiality or availability directly. Since initial access to the JWT is difficult due to mitigations against XSS, the practical impact may be limited but still poses a security risk.

Detection Guidance

Detection of this vulnerability is challenging because the vendor states that API calls require authentication through Authorization Bearer Tokens, which mitigates classic CSRF attacks. Since the exploit requires possession of a JWT token (which is protected against initial access), there are no specific commands or straightforward network detection methods provided to identify this vulnerability.

Mitigation Strategies

Immediate mitigation steps include ensuring that API endpoints strictly require Authorization Bearer Tokens for authentication, maintaining protections against XSS attacks to prevent attackers from obtaining JWT tokens, and monitoring for any unusual API usage patterns. Since classic CSRF attacks do not apply due to token requirements, focus should be on securing token handling and preventing token theft.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11442. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart