What is the CVSS score of CVE-2025-56254?

CVE-2025-56254 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2025-56254?

Organizations using PHPGurukul Employee Leave Management System 2.1 should be aware of moderate risk from CVE-2025-56254, a IDOR vulnerability rated CVSS 4.3.

How to fix or mitigate CVE-2025-56254?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Monitor vendor channels for patch availability.

PHP CVE-2025-56254

MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2025-09-02 cve@mitre.org

Authentication Bypass PHP Employee Leave Management System

4.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:10 vuln.today

CVE Published

Sep 02, 2025 - 12:15 nvd

MEDIUM 4.3

DescriptionCVE.org

PHPGurukul Employee Leave Management System 2.1 contains an Insecure Direct Object Reference (IDOR) vulnerability in leave-details.php. An authenticated user can change the leaveid parameter in the URL to access leave application details of other users.

AnalysisAI

PHPGurukul Employee Leave Management System 2.1 contains an Insecure Direct Object Reference (IDOR) vulnerability in leave-details.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-639. PHPGurukul Employee Leave Management System 2.1 contains an Insecure Direct Object Reference (IDOR) vulnerability in leave-details.php. An authenticated user can change the leaveid parameter in the URL to access leave application details of other users. Affected products include: Phpgurukul Employee Leave Management System.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-56254 vulnerability details – vuln.today

Back

PHP CVE-2025-56254

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code