Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
4DescriptionCVE.org
SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked.
ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges.
AnalysisAI
CVE-2025-13828 is a security vulnerability (CVSS 9.0). Critical severity with potential for significant impact on affected systems.
Technical ContextAI
CWE-862 (Missing Authorization). CVSS 9.0 indicates critical severity with likely remote exploitation vector.
RemediationAI
Monitor vendor channels for patch availability.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-200275
GHSA-3fq7-c5m8-g86x