CVE-2025-55299CRITICAL 9.4EPSS p11.8%

CVE-2025-55299CVE-2025-55299

Description

VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty but not NULL password set, attackers can use this to login with an empty password. This is combined with that fact, that previously disabling the password based login only effected the frontend, but still allowed login via the API. This vulnerability is fixed in 0.9.1.

Scoring

CVSS 3.19.4 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS0.22% probability of exploitation · percentile 11.8% · 2026-06-19T12:03:05Z
Published2025-08-18
Last modified2026-04-15

Underlying weaknesses· 1

CWE-521

References

  1. https://github.com/7ritn/VaulTLS/commit/6ac0a43a768f1753f6889ba43f914e773a4b45c0
  2. https://github.com/7ritn/VaulTLS/security/advisories/GHSA-pjfr-pj3h-cw8m

1

TypeTargetConfidenceTier
WeaknessWeak Password Requirementscwe-5210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-13357
CVE
CVE-2026-4525
CVE
CVE-2025-6013
CVE
CVE-2026-5052
CVE
CVE-2025-25570
CVE
CVE-2025-9312
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.