CVE-2025-23044HIGH 8.1EPSS p14.7%

CVE-2025-23044CVE-2025-23044

Description

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS0.24% probability of exploitation · percentile 14.7% · 2026-06-18T12:00:27Z
Published2025-01-20
Last modified2025-05-07

Underlying weaknesses· 1

CWE-352

References

  1. https://github.com/pwndoc/pwndoc/commit/14acb704891245bf1703ce6296d62112e85aa995
  2. https://github.com/pwndoc/pwndoc/security/advisories/GHSA-9v2v-jxvw-52rq

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-54761
CVE
CVE-2025-25101
CVE
CVE-2025-36728
CVE
CVE-2025-25106
CVE
CVE-2025-31036
CVE
CVE-2025-59572
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.