MultiVendorX MultiVendorX CVE-2025-48261

| EUVD-2025-17536 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2025-06-09 [email protected]
Information Disclosure
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17536
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 7.5

DescriptionNVD

Insertion of Sensitive Information Into Sent Data vulnerability in MultiVendorX MultiVendorX allows Retrieve Embedded Sensitive Data. This issue affects MultiVendorX: from n/a through 4.2.22.

AnalysisAI

CVE-2025-48261 is an information disclosure vulnerability in MultiVendorX that allows unauthenticated remote attackers to retrieve sensitive data embedded within sent data through a network-accessible interface. The vulnerability affects MultiVendorX versions up to and including 4.2.22, with a CVSS score of 7.5 indicating high confidentiality impact. While no active KEV or public POC details were provided in the available intelligence, the network-accessible attack vector (AV:N) and lack of privilege requirements (PR:N) make this a material risk for exposed instances.

Technical ContextAI

This vulnerability is rooted in CWE-201 (Insertion of Sensitive Information Into Sent Data), a class of weakness where applications inadvertently include sensitive information in data transmissions that can be intercepted or retrieved by unauthorized parties. In the context of MultiVendorX (a multi-vendor marketplace platform), the flaw likely exists in API responses, data serialization, or cached content mechanisms where sensitive fields (API keys, internal identifiers, user tokens, or configuration data) are exposed in responses sent to unauthenticated clients. The AV:N and AC:L vectors indicate the vulnerability is exploitable over the network without special conditions, suggesting it may be present in default API endpoints or publicly accessible data retrieval functions. The issue affects MultiVendorX through version 4.2.22, indicating the vendor has released or plans to release patched versions beyond this threshold.

RemediationAI

Immediate actions: (1) Upgrade MultiVendorX to the first patched version beyond 4.2.22 (likely 4.2.23 or later, pending vendor release). (2) If patched version is not yet available, implement network-level controls: restrict API endpoint access to authenticated/trusted sources, deploy WAF rules to filter sensitive data from responses, and disable unused API endpoints. (3) Review recent API response logs for evidence of sensitive data exfiltration (API keys, tokens, user IDs in response bodies). (4) Rotate any exposed credentials, API keys, or tokens discovered in logs. (5) Monitor official MultiVendorX security advisories and vendor GitHub/security portal for patch release and detailed remediation guidance. (6) Apply patches in a controlled staging environment first to validate compatibility with custom extensions or integrations.

Share

CVE-2025-48261 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy