CVE-2025-62618HIGH 8.0EPSS p17.0%

CVE-2025-62618CVE-2025-62618

Description

ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or crack the password hash offline. In ELOG 3.1.5-20251014 release, HTML files are rendered as plain text.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS0.26% probability of exploitation · percentile 17.0% · 2026-06-19T12:03:05Z
Published2025-10-31
Last modified2025-11-10

Underlying weaknesses· 3

CWE-79CWE-434CWE-836

References

  1. https://bitbucket.org/ritt/elog/commits/7092ff64f6eb9521f8cc8c52272a020bf3730946
  2. https://bitbucket.org/ritt/elog/commits/f81e5695c40997322fe2713bfdeba459d9de09dc
  3. https://elog.psi.ch/elog/download/RPMS/?C=M;O=D
  4. https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-304-01.json
  5. https://www.cve.org/CVERecord?id=CVE-2025-62618

3

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live
WeaknessUse of Password Hash Instead of Password for Authenticationcwe-8360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-64349
CVE
CVE-2025-29401
CVE
CVE-2025-61930
CVE
CVE-2026-21628
CVE
CVE-2025-59818
CVE
CVE-2025-22978
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.