Skip to main content

POEditor POEditor EUVDEUVD-2025-17296

| CVE-2025-49237 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-06-06 audit@patchstack.com
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17296
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.4

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor allows Path Traversal. This issue affects POEditor: from n/a through 0.9.10.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in POEditor that enables path traversal attacks, affecting versions 0.9.10 and earlier. An attacker can exploit this via a crafted request to perform unauthorized actions on behalf of an authenticated user, potentially leading to high availability impact. While the CVSS score of 7.4 indicates a significant threat, the requirement for user interaction (UI:R) and network-based attack vector limits real-world exploitability; current KEV and EPSS data are needed to determine if active exploitation is occurring.

Technical ContextAI

This vulnerability combines two distinct weakness classes: CWE-352 (Cross-Site Request Forgery) and path traversal capabilities. The CSRF component indicates insufficient CSRF token validation or SameSite cookie protections in POEditor's web application, allowing attackers to forge authenticated requests across origin boundaries. The path traversal aspect suggests that user-controlled input is not properly sanitized before file system operations, potentially allowing directory traversal sequences (../) to access unauthorized resources. POEditor (a localization/translation management platform) likely processes file uploads or imports without adequate CSRF protections and input validation. The affected versions (through 0.9.10) suggest this is a legacy or unmaintained component within the broader POEditor ecosystem.

RemediationAI

  1. IMMEDIATE: Upgrade POEditor to version 0.9.11 or later (patch version must be confirmed from vendor release notes/security advisories). 2) WORKAROUND (if upgrade unavailable): Implement CSRF token validation at the web server level (WAF rules to enforce X-CSRF-Token headers on state-changing requests). 3) MITIGATION: Deploy SameSite=Strict cookie attributes on session cookies to block cross-origin requests. 4) INPUT VALIDATION: If source code access available, implement canonicalization of file paths and reject any input containing '../' sequences. 5) MONITORING: Log all file upload/import operations and monitor for unusual path patterns in request logs. Contact POEditor support (https://poeditor.com/contact) for official patch availability and timeline; check security advisories at https://poeditor.com/blog or vendor GitHub repository for patch release notes.

Share

EUVD-2025-17296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy