Is there a public PoC exploit available for CVE-2025-8335?

Yes, a public proof-of-concept exploit is available for CVE-2025-8335. Prioritise patching immediately. EPSS: 0.1%.

Simple Car Rental System CVE-2025-8335

Q: What is the CVSS score of CVE-2025-8335?

CVE-2025-8335 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Cross-Site Request Forgery (CSRF) (CWE-352)

2025-07-30 cna@vuldb.com

CSRF Simple Car Rental System

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:18 vuln.today

DescriptionCVE.org

A vulnerability classified as problematic has been found in code-projects Simple Car Rental System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Cross-site request forgery in Simple Car Rental System 1.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users via crafted requests, requiring user interaction. The vulnerability carries low real-world risk despite public exploit availability, with an EPSS score of 0.08% (24th percentile) indicating minimal actual exploitation probability. Authentication is not required to trigger the CSRF, but successful exploitation depends on the victim being logged in and visiting an attacker-controlled page.

Technical ContextAI

Cross-site request forgery (CVSS CWE-352) is a web application vulnerability where an attacker tricks an authenticated user into performing unwanted actions without their knowledge. In Simple Car Rental System 1.0, the vulnerability stems from missing or inadequate anti-CSRF tokens (such as SameSite cookie attributes, CSRF tokens in forms, or origin/referer validation). The affected CPE (cpe:2.3:a:code-projects:simple_car_rental_system:1.0:*:*:*:*:*:*:*) identifies the specific product and version. CSRF attacks exploit the stateless nature of HTTP and the browser's automatic credential submission, allowing cross-origin requests to modify application state when the victim is authenticated.

RemediationAI

No vendor-released patch identified at time of analysis. Developers should immediately implement anti-CSRF protections: add unique, unpredictable CSRF tokens to all state-changing forms (POST, PUT, DELETE requests), validate tokens server-side before processing requests, implement the SameSite=Strict cookie attribute for session cookies to prevent cross-origin credential submission, and validate the Origin or Referer HTTP headers to reject cross-origin requests. Users of Simple Car Rental System 1.0 should check the code-projects GitHub repository (https://code-projects.org/) for security updates or migrate to a patched version if available. As a temporary compensating control, restrict deployment to internal networks only or behind a WAF configured to detect and block CSRF patterns, though these do not eliminate the underlying vulnerability.

CVE-2025-8335 vulnerability details – vuln.today

Back