CVE-2025-10759

21.09.2025, 01:15

A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release."

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
VulDB	CNA	5.3 MEDIUM				CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Vendor	Product	Version
webkul	qloapps	𝑥 ≤ 1.7.0

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

References

https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md

https://github.com/Ryomensukuna13/QloApps-Reusable-CSRF-Token-in-Logout-Functionality/blob/main/README.md#proof-of-concept-poc

https://vuldb.com/?ctiid.325114

https://vuldb.com/?id.325114

https://vuldb.com/?submit.645821