CVE-2025-9747HIGH 8.8EPSS p29.1%

CVE-2025-9747CVE-2025-9747

Description

A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrf_protection_controller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor explains: "I ended up switching to a newer CSRF handling using stateless token."

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.37% probability of exploitation · percentile 29.1% · 2026-06-19T12:03:05Z
Published2025-08-31
Last modified2026-04-29

Underlying weaknesses· 2

CWE-352CWE-862

References

  1. https://github.com/benjaminjonard/koillection/commit/9ab8562d3f1e953da93fed63f9ee802c7ea26a9a
  2. https://github.com/benjaminjonard/koillection/issues/1393
  3. https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086
  4. https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-3217310072
  5. https://github.com/benjaminjonard/koillection/releases/tag/1.7.0
  6. https://vuldb.com/?ctiid.322047
  7. https://vuldb.com/?id.322047
  8. https://vuldb.com/?submit.640421

2

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-60111
CVE
CVE-2025-36728
CVE
CVE-2025-13177
CVE
CVE-2025-65840
CVE
CVE-2025-59572
CVE
CVE-2025-58997
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.