Skip to main content

Panilux CVE-2025-11022

CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-09 iletisim@usom.gov.tr
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 07:32 vuln.today

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery.

This

CSRF vulnerability resulting in Command Injection has been identified.

This issue affects Panilux: before v.0.10.0. NOTE: The vendor was contacted and responded that they deny ownership of the mentioned product.

AnalysisAI

Cross-site request forgery in Panilux versions before 0.10.0 can be chained to command injection, allowing remote attackers to execute arbitrary operating system commands when an authenticated user is tricked into visiting a malicious page. The CVSS 9.6 (AV:N/AC:L/PR:N/UI:R/S:C) reflects scope change and full CIA impact, though exploitation requires user interaction and the affected vendor has denied ownership of the product, complicating disclosure. EPSS is very low at 0.04% (11th percentile) and no public exploit is identified at time of analysis.

Technical ContextAI

Panilux is described in the advisory as a 'Personal Project' web application; the underlying technology stack is not disclosed in the provided data. The root cause is CWE-352 (Cross-Site Request Forgery): the application accepts state-changing or command-executing requests without verifying that they were intentionally submitted by the authenticated user, e.g. via an anti-CSRF token, SameSite cookie enforcement, or origin/referrer validation. The CSRF primitive is chained into a command injection sink, indicating that at least one privileged endpoint accepts user-controlled input that is passed unsanitized to a shell or OS command interpreter, so a forged request from an authenticated victim becomes arbitrary command execution on the host. No CPE strings were provided to pin down the exact distribution or affected build artifacts.

Affected ProductsAI

The advisory identifies Panilux at all versions prior to 0.10.0 as affected. No CPE entries were supplied with this record, and no vendor advisory URL is available because the contacted vendor denied ownership of the product. The only references provided are the Turkish national CERT (USOM) bulletins at https://www.usom.gov.tr/bildirim/tr-25-0433 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0433, which should be consulted for any further product-identification details.

RemediationAI

No vendor-released patch identified at time of analysis, because the named vendor has denied ownership of Panilux and no authoritative fix advisory exists; the reporter implies version 0.10.0 or later resolves the issue, so administrators running an identifiable Panilux instance should upgrade to 0.10.0+ if such a build can be obtained and verified against the USOM bulletins at https://www.usom.gov.tr/bildirim/tr-25-0433 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0433. Compensating controls while a trusted patched build is unavailable: enforce SameSite=Strict (or Lax) on session cookies to block cross-site request submission, with the trade-off that some legitimate cross-origin flows or embedded usage may break; place the application behind an authenticating reverse proxy or VPN so the management interface is not reachable by attacker-controlled browsers, accepting the operational overhead of additional auth; and add a front-end WAF rule that rejects state-changing POST/PUT/DELETE requests lacking a same-origin Referer/Origin header, noting this can produce false positives for users with strict privacy extensions that strip those headers. Given the command-injection sink, also restrict the OS account running the service to the minimum privileges required, which limits but does not prevent exploitation.

Share

CVE-2025-11022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy