TaleLin Lin-CMS CVE-2025-15151

Q: What is the CVSS score of CVE-2025-15151?

CVE-2025-15151 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Credentials Management Errors (CWE-255)

2025-12-28 cna@vuldb.com

Authentication Bypass

2.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:44 vuln.today

DescriptionNVD

A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration file. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Authentication bypass in TaleLin Lin-CMS up to version 0.6.0 allows remote attackers to manipulate username and password arguments in the /tests/config.py Tests Folder component, potentially exposing credentials stored in the configuration file. The attack requires high complexity and has been publicly disclosed, but exploitation is considered difficult with an EPSS score of 0.04% indicating very low real-world exploitation probability.

Technical ContextAI

TaleLin Lin-CMS is a content management system that includes a tests folder containing configuration handling in config.py. The vulnerability stems from insufficient input validation or credential handling in the test configuration component (CWE-255: Improper Authentication). The attack manipulates username and password parameters passed to the configuration file processing logic, suggesting the test component may improperly sanitize or expose sensitive authentication credentials through its interface. The presence of test files in production or accessible deployment contexts creates the attack surface.

Affected ProductsAI

TaleLin Lin-CMS versions up to and including 0.6.0 are affected. The vulnerability is specific to the Tests Folder component and its config.py file. No CPE string is provided in the available data. Affected deployments are those exposing the /tests/config.py endpoint or including test configuration files in accessible paths.

RemediationAI

Upgrade TaleLin Lin-CMS to a version later than 0.6.0 if available from the vendor. If no patched version is available, immediately remove or restrict network access to the /tests directory and all test-related files from production deployments-test folders should never be exposed in internet-facing instances. Implement strict access controls on the /tests path at the web server or application level using authentication and IP whitelisting. Audit configuration files for plaintext credentials and migrate them to a secrets management system. Remove test configuration files entirely from production environments. Review web server logs for any access attempts to /tests/config.py or related paths to identify potential exploitation attempts.

CVE-2025-15151 vulnerability details – vuln.today

Back