CVE-2025-26058

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-26058

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-26058.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-26058

Published

2025-02-18T18:15:35.653Z

Modified

2025-11-20T12:34:05.563263Z

Severity

4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection. When users access the admin panel or other protected areas, the application appends sensitive authentication tokens directly to the URL.

References

https://github.com/mano257200/QloApps-VUL

Affected packages

Git / github.com/webkul/hotelcommerce

Affected ranges

Type: GIT
Repo: https://github.com/webkul/hotelcommerce
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

950b37ed1c044f2252149aa09ca7f9adeb97991e

Affected versions

v0.*

v0.3

v1.*

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.6.0

v1.6.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-26058.json"