CVE-2025-48881HIGH 8.3EPSS p20.0%

CVE-2025-48881CVE-2025-48881

Description

Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. This issue has been patched in version 12.13.0.RELEASE. A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality.

Scoring

CVSS 3.18.3 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS0.29% probability of exploitation · percentile 20.0% · 2026-06-18T12:00:27Z
Published2025-05-30
Last modified2026-04-15

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/valtimo-platform/valtimo-backend-libraries/commit/6ab04b30d3dab816bfea32d40ba50e5dd4517272
  2. https://github.com/valtimo-platform/valtimo-backend-libraries/security/advisories/GHSA-965r-9cg9-g42p

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-58059
CVE
CVE-2026-42555
CVE
CVE-2026-23544
CVE
CVE-2025-10611
CVE
CVE-2025-42964
CVE
CVE-2025-42980
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.