Skip to main content

Zwiicms

2 CVEs product

Monthly

CVE-2025-34467 MEDIUM This Month

Resource lock poisoning in ZwiiCMS prior to 13.7.00 allows authenticated low-privilege users to deny administrators access to administrative functionality by exploiting a race between lock acquisition and authorization. The application incorrectly acquires and binds a temporary resource lock to the requesting session before completing the authorization check - meaning even a request that ultimately returns 404 holds the lock until the attacker's session is cleared. No public exploit has been identified and the vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a pre-existing authenticated session.

Information Disclosure Zwiicms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-57130 HIGH This Week

Privilege escalation in ZwiiCMS content management system (versions up to and including v13.6.07) allows a low-privilege authenticated user to read and overwrite the profile data of any other account, including administrators, by manipulating a crafted HTTP request to the user management component. Because an attacker can rewrite an administrator's credentials, this effectively yields full administrative takeover of the CMS. EPSS is low (0.23%, 46th percentile) and there is no public exploit identified at time of analysis, so risk is elevated primarily by the low attack complexity rather than by evidence of in-the-wild use.

Authentication Bypass Zwiicms
NVD
CVSS 3.1
8.8
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Resource lock poisoning in ZwiiCMS prior to 13.7.00 allows authenticated low-privilege users to deny administrators access to administrative functionality by exploiting a race between lock acquisition and authorization. The application incorrectly acquires and binds a temporary resource lock to the requesting session before completing the authorization check - meaning even a request that ultimately returns 404 holds the lock until the attacker's session is cleared. No public exploit has been identified and the vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a pre-existing authenticated session.

Information Disclosure Zwiicms
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in ZwiiCMS content management system (versions up to and including v13.6.07) allows a low-privilege authenticated user to read and overwrite the profile data of any other account, including administrators, by manipulating a crafted HTTP request to the user management component. Because an attacker can rewrite an administrator's credentials, this effectively yields full administrative takeover of the CMS. EPSS is low (0.23%, 46th percentile) and there is no public exploit identified at time of analysis, so risk is elevated primarily by the low attack complexity rather than by evidence of in-the-wild use.

Authentication Bypass Zwiicms
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy