Is there a public PoC exploit available for CVE-2025-7938?

Yes, a public proof-of-concept exploit is available for CVE-2025-7938. Prioritise patching immediately. EPSS: 0.1%.

JPACookieShop CVE-2025-7938

Q: What is the CVSS score of CVE-2025-7938?

CVE-2025-7938 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Authorization (CWE-285)

2025-07-21 cna@vuldb.com

Authentication Bypass Jpacookieshop

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:29 vuln.today

DescriptionCVE.org

A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Authorization bypass in JPACookieShop (蛋糕商城JPA版) version 1.0 allows authenticated remote attackers to modify goods via the updateGoods function in GoodsController.java without proper privilege validation. The vulnerability has public exploit code available but carries low real-world risk due to a CVSS score of 2.1 (EPSS 0.06%), indicating exploitation is unlikely despite authenticated access requirements and public disclosure.

Technical ContextAI

JPACookieShop is a Java-based e-commerce platform using JPA (Java Persistence API) for data access. The vulnerability resides in the GoodsController.java file's updateGoods method, which fails to properly validate user authorization before executing goods modification operations. This is classified as CWE-285 (Improper Authorization / Missing Authorization), a common flaw in web applications where access control checks are either absent or insufficient. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning any remote attacker with valid login credentials can trigger the vulnerable function without special conditions.

RemediationAI

No vendor-released patch identified at time of analysis. Immediate mitigations include implementing role-based access control (RBAC) validation in the updateGoods method to verify the authenticated user has explicit 'goods_update' or equivalent privilege before processing modification requests, and adding audit logging to track all goods modifications by user ID to detect unauthorized changes. Apply input validation and server-side authorization checks before any state-changing operation in GoodsController. Contact the JPACookieShop maintainer (jerryshensjf) to request a patched version, or consider switching to an actively maintained fork or alternative e-commerce platform if no vendor response is received. Deployment workaround: restrict network access to GoodsController endpoints to trusted administrative networks only, though this does not eliminate the underlying authorization flaw.

CVE-2025-7938 vulnerability details – vuln.today

Back