UBUNTU-CVE-2025-15438

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-15438

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15438.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-15438

Upstream

CVE-2025-15438

Published

2026-01-02T15:15:00Z

Modified

2026-03-02T12:00:25.305662Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready.

References

Affected packages

Ubuntu:16.04:LTS / pluxml

Package

Name: pluxml
Purl: pkg:deb/ubuntu/pluxml@5.4-1ubuntu1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.4-1

5.4-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "pluxml",
            "binary_version": "5.4-1ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15438.json"

Ubuntu:18.04:LTS / pluxml

Package

Name: pluxml
Purl: pkg:deb/ubuntu/pluxml@5.5-2?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.5-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "pluxml",
            "binary_version": "5.5-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15438.json"

Ubuntu:20.04:LTS / pluxml

Package

Name: pluxml
Purl: pkg:deb/ubuntu/pluxml@5.6-1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.6-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "pluxml",
            "binary_version": "5.6-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15438.json"

Ubuntu:22.04:LTS / pluxml

Package

Name: pluxml
Purl: pkg:deb/ubuntu/pluxml@5.6-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.6-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "pluxml",
            "binary_version": "5.6-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15438.json"