CVE-2025-1782CRITICAL 9.9EPSS p36.1%

CVE-2025-1782CVE-2025-1782

Description

In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker to be authenticated with a valid user account.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.1% · 2026-06-19T12:03:05Z
Published2025-04-14
Last modified2026-05-26

Underlying weaknesses· 1

CWE-94

References

  1. https://www.ifax.com/security/CVE-2025-1782.html

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65875
CVE
CVE-2025-34335
CVE
CVE-2025-34334
CVE
CVE-2025-41734
CVE
CVE-2025-48732
CVE
CVE-2025-55211
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.