CVE-2025-15241

30.12.2025, 09:15

A security vulnerability has been detected in CloudPanel Community Edition up to 2.5.1. The affected element is an unknown function of the file /admin/users of the component HTTP Header Handler. Such manipulation of the argument Referer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.5.2 is sufficient to fix this issue. Upgrading the affected component is recommended.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.5 LOW	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
VulDB	CNA	3.5 LOW				CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/Stolichnayer/cloudpanel-open-redirect

https://github.com/Stolichnayer/cloudpanel-open-redirect?tab=readme-ov-file#%EF%B8%8F-steps-to-reproduce

https://github.com/cloudpanel-io/cloudpanel-ce/releases/tag/v2.5.2

https://vuldb.com/?ctiid.338631

https://vuldb.com/?id.338631

https://vuldb.com/?submit.725543