CVE-2025-15098 | YunaiV yudao-cloud up to 2025.11 Business Process Management BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger url/header/body server-side request forgery

Inserito da Angelo Barbosa | Dic 25, 2025 | CVE

A vulnerability was found in YunaiV yudao-cloud up to 2025.11. It has been declared as critical. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery.

This vulnerability appears as CVE-2025-15098. The attack may be performed from remote. In addition, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-15098 | YunaiV yudao-cloud up to 2025.11 Business Process Management BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger url/header/body server-side request forgery

Post correlati

CVE-2025-9753 | Campcodes Online Hospital Management System 1.0 Patient Search patient-search.php Search by Name Mobile No cross site scripting

CVE-2024-40786 | Apple macOS User Information information disclosure

CVE-2024-37896 | flipped-aurora gin-vue-admin up to 2.6.5 sql injection (GHSA-gf3r-h744-mqgp)

CVE-2024-29232 | Synology Surveillance Station prior 9.2.0-9289/9.2.0-11289 WebAPI Alert.Enum sql injection (SA_24_04)