CVE-2025-58386CRITICAL 9.8EPSS p20.0%

CVE-2025-58386CVE-2025-58386

Description

In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account's password, effectively taking full control of it.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.28% probability of exploitation · percentile 20.0% · 2026-06-18T12:00:27Z
Published2025-12-02
Last modified2025-12-19

Underlying weaknesses· 1

CWE-285

References

  1. https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/
  2. https://terminalfour.com

1

TypeTargetConfidenceTier
WeaknessImproper Authorizationcwe-2850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-48904
CVE
CVE-2026-6356
CVE
CVE-2026-23595
CVE
CVE-2026-8046
CVE
CVE-2025-1393
CVE
CVE-2025-40670
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.