How to fix CVE-2025-13872?

Within 24 hours: Disable the survey-import feature in Opinio or restrict access to trusted internal users only; inventory all systems running Opinio 7.26 rev12562. Within 7 days: Implement WAF rules to block malicious survey-import requests; conduct audit logs for suspicious import activity. Within 30 days: Upgrade to a patched version when available from ObjectPlanet; evaluate alternative survey platforms if patch timeline is unacceptable.

Is Opinio affected by CVE-2025-13872?

A critical vulnerability in ObjectPlanet Opinio's survey-import feature allows attackers to manipulate your servers into making unauthorized requests to internal or external systems, potentially exposing sensitive data or enabling lateral movement within your infrastructure.

CVE-2025-13872

EUVD-2025-200216 CRITICAL

2025-12-02 64c5ae8f-7972-4697-86a0-7ada793ac795

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200216

CVE Published

Dec 02, 2025 - 10:16 nvd

CRITICAL 9.1

Description

Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination.

Analysis

Blind Server-Side Request Forgery (SSRF) in the survey-import feature of

ObjectPlanet Opinio 7.26 rev12562 on

Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests

to an arbitrary destination.

Technical Context

Server-Side Request Forgery allows an attacker to induce the server to make HTTP requests to arbitrary destinations, including internal services. This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918).

Affected Products

Affected products: Objectplanet Opinio 7.26

Remediation

Validate and whitelist allowed URLs and IP ranges. Block requests to internal/private IP ranges. Use network segmentation to limit server-side request scope.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

CVE-2025-13872 vulnerability details – vuln.today

Back

CVE-2025-13872

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-13872

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code