CVE-2025-41351
Unknown Unknown - Not Provided
Padding Oracle Vulnerability in Funambol v30.0.0.20 Cloud Server

Publication date: 2026-01-28

Last updated on: 2026-01-28

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate β€˜self-signed’ access URLs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41351
EUVD
EUVD-2025-206478
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
funambol funambol 30.0.0.20
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-649 The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Padding Oracle Attack on the Funambol v30.0.0.20 cloud server. It exploits the thumbnail display URL, allowing an attacker to decrypt and encrypt parameters used by the application to generate 'self-signed' access URLs.

Impact Analysis

An attacker could use this vulnerability to decrypt and encrypt parameters, potentially gaining unauthorized access to resources by manipulating 'self-signed' access URLs, which could lead to data exposure or unauthorized actions within the Funambol cloud server environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart