CVE-2025-65276

EUVD-2025-199763

26.11.2025, 20:15

An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Affected Products (NVD)

Vendor	Product	Version
henzljw	hashtech	𝑥 ≤ 2021-07-02

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://gist.github.com/whoisrushi/c3bfcd1adf96d80952edbd03d0310836