EUVD-2025-17296

| CVE-2025-49237 HIGH
2025-06-06 [email protected]
7.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17296
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.4

Tags

CSRF Path Traversal

Description

Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor allows Path Traversal. This issue affects POEditor: from n/a through 0.9.10.

Analysis

Cross-Site Request Forgery (CSRF) vulnerability in POEditor that enables path traversal attacks, affecting versions 0.9.10 and earlier. An attacker can exploit this via a crafted request to perform unauthorized actions on behalf of an authenticated user, potentially leading to high availability impact. While the CVSS score of 7.4 indicates a significant threat, the requirement for user interaction (UI:R) and network-based attack vector limits real-world exploitability; current KEV and EPSS data are needed to determine if active exploitation is occurring.

Technical Context

This vulnerability combines two distinct weakness classes: CWE-352 (Cross-Site Request Forgery) and path traversal capabilities. The CSRF component indicates insufficient CSRF token validation or SameSite cookie protections in POEditor's web application, allowing attackers to forge authenticated requests across origin boundaries. The path traversal aspect suggests that user-controlled input is not properly sanitized before file system operations, potentially allowing directory traversal sequences (../) to access unauthorized resources. POEditor (a localization/translation management platform) likely processes file uploads or imports without adequate CSRF protections and input validation. The affected versions (through 0.9.10) suggest this is a legacy or unmaintained component within the broader POEditor ecosystem.

Affected Products

POEditor versions 0.9.10 and earlier are confirmed vulnerable. Without complete CPE data provided, the likely CPE would be: cpe:2.3:a:poeditor:poeditor:*:*:*:*:*:*:*:* (versions <=0.9.10). POEditor is a web-based localization platform (https://poeditor.com); the vulnerability likely affects both self-hosted instances and potentially cloud deployments if using vulnerable component versions. Exact CPE granularity (application vs. library component) requires vendor clarification. Users should check their POEditor version via the admin panel or API (/api/v2/account/details endpoint typically returns version information).

Remediation

1) IMMEDIATE: Upgrade POEditor to version 0.9.11 or later (patch version must be confirmed from vendor release notes/security advisories). 2) WORKAROUND (if upgrade unavailable): Implement CSRF token validation at the web server level (WAF rules to enforce X-CSRF-Token headers on state-changing requests). 3) MITIGATION: Deploy SameSite=Strict cookie attributes on session cookies to block cross-origin requests. 4) INPUT VALIDATION: If source code access available, implement canonicalization of file paths and reject any input containing '../' sequences. 5) MONITORING: Log all file upload/import operations and monitor for unusual path patterns in request logs. Contact POEditor support (https://poeditor.com/contact) for official patch availability and timeline; check security advisories at https://poeditor.com/blog or vendor GitHub repository for patch release notes.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +37
POC: 0

Share

EUVD-2025-17296 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy