Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description asserts unauthenticated remote code execution via a public registration endpoint (AV:N/AC:L/PR:N/UI:N) with total impact, though the CWE-640 mapping leaves true impact uncertain.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to execute arbitrary code via the register function in inc/auth.php
AnalysisAI
Remote code execution is claimed in DokuWiki 2025-05-14b "Librarian" (build 56.2) via the register function in inc/auth.php, which security intelligence maps to CWE-640 (weak password-recovery mechanism) - a mismatch that suggests account-takeover-to-code-execution rather than a direct memory-corruption RCE. The CVSS 3.1 score of 9.8 (network, no authentication, no user interaction) implies any internet-facing DokuWiki instance is at risk, and publicly available exploit code exists (a public gist proof-of-concept plus SSVC 'poc' exploitation status), though EPSS remains low at 0.26% (17th percentile), indicating no observed mass exploitation yet. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets DokuWiki instances that expose the user self-registration feature (the 'register' action) reachable over the network; per CVSS AV:N/AC:L/PR:N/UI:N the attack is remote with low complexity, no authentication, and no user interaction against affected 2025-05-14b 'Librarian' 56.2 builds. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the network reaches the self-registration endpoint of an internet-facing DokuWiki 'Librarian' instance and abuses the flawed register()/password-recovery logic in inc/auth.php to create or take over a privileged account, then leverages that access to execute code on the host. A public proof-of-concept gist is available, lowering the skill required, and SSVC assesses the attack as automatable - meaning it could be scripted against many hosts. |
| Remediation | No vendor-released patch version is identified at time of analysis - the provided references point to the DokuWiki GitHub repository and issue #4682 rather than a tagged fixed release, so monitor https://github.com/dokuwiki/dokuwiki and issue #4682 for an official patched build and upgrade to it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all DokuWiki instances and immediately isolate internet-facing deployments from public access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40863
GHSA-4856-qxx9-mgf3