Is there a public PoC exploit available for CVE-2025-11436?

Yes, a public proof-of-concept exploit is available for CVE-2025-11436. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2025-11436?

Yes, a patch is available for CVE-2025-11436. Update the affected software to the latest version immediately.

JhumanJ OpnForm CVE-2025-11436

Q: What is the CVSS score of CVE-2025-11436?

CVE-2025-11436 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Access Control (CWE-284)

2025-10-08 cna@vuldb.com

Authentication Bypass File Upload Opnform

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:32 vuln.today

DescriptionCVE.org

A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue.

AnalysisAI

Unrestricted file upload in JhumanJ OpnForm through version 1.9.3 allows authenticated users to bypass upload restrictions via the /answer endpoint, resulting in unauthorized file storage with limited confidentiality and integrity impact. The vulnerability requires valid authentication and has a publicly available exploit with low real-world exploitation probability (EPSS 0.05%), but the combination of low CVSS (2.1), authentication requirement, and limited impact suggests this is not a critical priority despite public exploit availability.

Technical ContextAI

OpnForm is an open-source form builder that processes file uploads through the /answer endpoint. The vulnerability exists in the file upload handling mechanism, classified under CWE-284 (Improper Access Control), where the application fails to properly validate or restrict uploaded files. The affected component processes form submissions via an endpoint that should enforce upload limitations but instead permits unrestricted file uploads when accessed by authenticated users. The issue is distinct from arbitrary code execution or complete system compromise, affecting only the confidentiality and integrity of file storage.

RemediationAI

Vendor-released patch: Upgrade to the version containing commit 95c3e23856465d202e6aec10bdb6ee0688b5305a (referenced in GitHub PR #900). Users should pull the latest changes from the JhumanJ/OpnForm repository or wait for the next tagged release incorporating this commit. As an immediate compensating control, restrict access to the /answer endpoint to trusted users only via network access controls or reverse proxy authentication rules, implement file type validation and size limits at the application level, and monitor the /answer endpoint for unusual upload activity. If immediate patching is not possible, disable form submission features that accept file uploads until the patch can be applied. Note that these workarounds reduce functionality and should be temporary measures only.

CVE-2025-11436 vulnerability details – vuln.today

Back