CVE-2025-9747

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-9747

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9747.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-9747

Published

2025-08-31T22:15:32.010Z

Modified

2025-11-20T12:41:01.108270Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrfprotectioncontroller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor explains: "I ended up switching to a newer CSRF handling using stateless token."

References

Affected packages

Git / github.com/benjaminjonard/koillection

Affected ranges

Type: GIT
Repo: https://github.com/benjaminjonard/koillection
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9ab8562d3f1e953da93fed63f9ee802c7ea26a9a

Fixed

cfcf85228a9548f6f40e917cafad7acb8f63526b

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.3.0

1.3.1

1.3.10

1.3.15

1.3.16

1.3.17

1.3.18

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.4.0

1.4.1

1.4.10

1.4.11

1.4.12

1.4.13

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.5.0

1.5.1

1.5.10

1.5.11

1.5.12

1.5.13

1.5.14

1.5.15

1.5.16

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.6.0

1.6.1

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

1.6.17

1.6.18

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9