CVE-2025-5409CRITICAL 9.8EPSS p38.7%

CVE-2025-5409CVE-2025-5409

Description

A vulnerability was found in Mist Community Edition up to 4.7.1. It has been classified as critical. This affects the function create_token of the file src/mist/api/auth/views.py of the component API Token Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The identifier of the patch is db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 38.7% · 2026-06-19T12:03:05Z
Published2025-06-01
Last modified2025-11-25

Underlying weaknesses· 2

CWE-266CWE-284

References

  1. https://github.com/Stolichnayer/mist-ce-account-takeover
  2. https://github.com/mistio/mist-ce/releases/tag/v4.7.2
  3. https://github.com/mistio/mist.api/commit/db10ecb62ac832c1ed4924556d167efb9bc07fad
  4. https://vuldb.com/?ctiid.310749
  5. https://vuldb.com/?id.310749
  6. https://vuldb.com/?submit.583531

2

TypeTargetConfidenceTier
WeaknessIncorrect Privilege Assignmentcwe-2660%live
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-45611
CVE
CVE-2025-7897
CVE
CVE-2025-52898
CVE
CVE-2025-45468
CVE
CVE-2025-52824
CVE
CVE-2025-3177
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.