CVE-2025-12266 | Zytec Dalian Zhuoyun Technology Central Authentication Service up to 20251009 /index.php/auth/widget _empty get.layer/get.widget/get.action code injection

A vulnerability classified as critical has been found in Zytec Dalian Zhuoyun Technology Central Authentication Service up to 20251009. This vulnerability affects the function _empty of the file /index.php/auth/widget. Performing manipulation of the argument get.layer/get.widget/get.action results in code injection.

This vulnerability is reported as CVE-2025-12266. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-12266 | Zytec Dalian Zhuoyun Technology Central Authentication Service up to 20251009 /index.php/auth/widget _empty get.layer/get.widget/get.action code injection

Post correlati

CVE-2024-28175 | argocd up to 2.8.11/2.9.0/2.9.7/2.10.0/2.10.2 URL Protocol cross site scripting (GHSA-jwv5-8mqv-g387)

CVE-2024-21672 | Atlassian Confluence Data Center/Confluence Server Remote Code Execution

CVE-2024-41376 | dzzoffice 2.02.1 user/space/about.php path traversal (Issue 252)

CVE-2024-56588 | Linux Kernel up to 6.12.4 hisi_sas null pointer dereference