Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor allows Path Traversal. This issue affects POEditor: from n/a through 0.9.10.
AnalysisAI
Cross-Site Request Forgery (CSRF) vulnerability in POEditor that enables path traversal attacks, affecting versions 0.9.10 and earlier. An attacker can exploit this via a crafted request to perform unauthorized actions on behalf of an authenticated user, potentially leading to high availability impact. While the CVSS score of 7.4 indicates a significant threat, the requirement for user interaction (UI:R) and network-based attack vector limits real-world exploitability; current KEV and EPSS data are needed to determine if active exploitation is occurring.
Technical ContextAI
This vulnerability combines two distinct weakness classes: CWE-352 (Cross-Site Request Forgery) and path traversal capabilities. The CSRF component indicates insufficient CSRF token validation or SameSite cookie protections in POEditor's web application, allowing attackers to forge authenticated requests across origin boundaries. The path traversal aspect suggests that user-controlled input is not properly sanitized before file system operations, potentially allowing directory traversal sequences (../) to access unauthorized resources. POEditor (a localization/translation management platform) likely processes file uploads or imports without adequate CSRF protections and input validation. The affected versions (through 0.9.10) suggest this is a legacy or unmaintained component within the broader POEditor ecosystem.
RemediationAI
- IMMEDIATE: Upgrade POEditor to version 0.9.11 or later (patch version must be confirmed from vendor release notes/security advisories). 2) WORKAROUND (if upgrade unavailable): Implement CSRF token validation at the web server level (WAF rules to enforce X-CSRF-Token headers on state-changing requests). 3) MITIGATION: Deploy SameSite=Strict cookie attributes on session cookies to block cross-origin requests. 4) INPUT VALIDATION: If source code access available, implement canonicalization of file paths and reject any input containing '../' sequences. 5) MONITORING: Log all file upload/import operations and monitor for unusual path patterns in request logs. Contact POEditor support (https://poeditor.com/contact) for official patch availability and timeline; check security advisories at https://poeditor.com/blog or vendor GitHub repository for patch release notes.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17296