CVE-2025-24968HIGH 8.8EPSS p43.0%

CVE-2025-24968CVE-2025-24968

Description

reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as `penetration_tester` or `auditor` to delete all projects in the system. This can lead to a complete system takeover by redirecting the attacker to the onboarding page, where they can add or modify users, including Sys Admins, and configure critical settings like API keys and user preferences. This issue affects all versions up to and including 2.20. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.58% probability of exploitation · percentile 43.0% · 2026-06-19T12:03:05Z
Published2025-02-04
Last modified2025-05-13

Underlying weaknesses· 1

CWE-284

References

  1. https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6x79-q396
  2. https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6x79-q396

1

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-24962
CVE
CVE-2025-70821
CVE
CVE-2026-9522
CVE
CVE-2026-2199
CVE
CVE-2026-53469
CVE
CVE-2025-25268
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.