Is there a public PoC exploit available for CVE-2025-11440?

Yes, a public proof-of-concept exploit is available for CVE-2025-11440. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2025-11440?

Yes, a patch is available for CVE-2025-11440. Update the affected software to the latest version immediately.

JhumanJ OpnForm CVE-2025-11440

Q: What is the CVSS score of CVE-2025-11440?

CVE-2025-11440 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Incorrect Privilege Assignment (CWE-266)

2025-10-08 cna@vuldb.com

Information Disclosure Opnform

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:03 vuln.today

DescriptionCVE.org

A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called b15e29021d326be127193a5dbbd528c4e37e6324. Applying a patch is advised to resolve this issue.

AnalysisAI

Improper access controls in OpnForm versions up to 1.9.3 allow authenticated remote attackers to manipulate the /edit function, gaining unauthorized access to resources or functionality. The CVSS score of 2.1 reflects low severity due to authentication requirements and limited confidentiality impact, though the exploit has been publicly disclosed and an upstream patch is available. Real-world risk is minimal given the low EPSS score (0.03%, 8th percentile) despite public POC availability.

Technical ContextAI

OpnForm is a form-building application written in JavaScript/Node.js. The vulnerability resides in an unspecified function of the /edit endpoint, which handles form editing operations. The root cause is classified under CWE-266 (Improper Privilege Assignment), indicating a logic flaw where access control checks either fail to properly validate user permissions or incorrectly grant elevated privileges. The CVSS vector shows this requires authenticated access (PR:L) but can be exploited over the network with low complexity. The affected product spans all versions up to 1.9.3, suggesting the flaw has existed across multiple releases.

RemediationAI

Apply the vendor patch immediately by upgrading to OpnForm version 1.9.4 or later, which includes commit b15e29021d326be127193a5dbbd528c4e37e6324. This commit is available in the GitHub repository at https://github.com/JhumanJ/OpnForm/pull/900/commits/b15e29021d326be127193a5dbbd528c4e37e6324. If immediate upgrade is not feasible, restrict network access to the /edit endpoint to administrative users only using reverse proxy rules (e.g., nginx location blocks or WAF policies), though this does not eliminate the vulnerability for legitimate administrators. Monitor authentication logs for anomalous access patterns to the /edit endpoint from low-privilege accounts, as this may indicate exploitation attempts. After patching, audit any forms or configurations modified between the vulnerability discovery date and patch application.

CVE-2025-11440 vulnerability details – vuln.today

Back