Is there a public PoC exploit available for CVE-2025-11438?

Yes, a public proof-of-concept exploit is available for CVE-2025-11438. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2025-11438?

Yes, a patch is available for CVE-2025-11438. Update the affected software to the latest version immediately.

JhumanJ OpnForm CVE-2025-11438

Q: What is the CVSS score of CVE-2025-11438?

CVE-2025-11438 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Missing Authorization (CWE-862)

2025-10-08 cna@vuldb.com

Authentication Bypass Opnform

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:33 vuln.today

DescriptionCVE.org

A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue.

AnalysisAI

Missing authorization in OpnForm up to version 1.9.3 allows authenticated remote attackers to access the /custom-domains API endpoint without proper permission checks, potentially enabling unauthorized configuration changes. The vulnerability affects unknown code handling custom domain management and is confirmed to have publicly available exploit code, though with a low CVSS score (2.1) and minimal exploitation probability (EPSS 0.04%), indicating limited real-world risk despite the authentication bypass nature.

Technical ContextAI

The vulnerability exists in the /custom-domains API endpoint of OpnForm, a form management platform. The root cause is classified as CWE-862 (Missing Authorization), indicating the application fails to properly validate user permissions before allowing access to sensitive API functionality. Authenticated users can manipulate this endpoint to perform unauthorized actions related to custom domain configuration. The network-accessible API endpoint processes requests without sufficient authorization checks, allowing authenticated users with limited privileges to escalate their access to protected resources.

RemediationAI

Upgrade OpnForm to the patched version containing commit beb153ce52dceb971c1518f98333328c95f1ba20 (version 1.9.4 or later if available, or the next release following 1.9.3). The patch is available in the upstream GitHub repository at https://github.com/JhumanJ/OpnForm/pull/900/commits/beb153ce52dceb971c1518f98333328c95f1ba20. As an interim compensating control pending patching, restrict API access to the /custom-domains endpoint to administrators only using network-level or application-level access controls, such as WAF rules or API gateway authentication policies. This mitigates the risk of low-privilege users exploiting the authorization bypass while maintaining domain management functionality for authorized personnel. Note that this control requires maintaining current access control lists and may impact legitimate domain management workflows if not carefully scoped.

CVE-2025-11438 vulnerability details – vuln.today

Back