CVE-2025-62797

216.73.216.233

· Published 29/10/2025 18:15 · Modified 29/10/2025 19:15

Labels: CVE-2025-62797 2025-10-29 CVE-2025-62797 CWE-352 [email protected]

Essential information

Published: 29/10/2025 18:15
Modified: 29/10/2025 19:15
Author: —
Creator: —
CVSS: 8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authorized solely by the session cookie without per-request anti-CSRF tokens or robust Origin/Referer validation. An attacker who can lure a logged-in user to an attacker-controlled page can cause that user to perform sensitive actions without their intent. This vulnerability is fixed with commit e3f130c.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
rathena / fluxcp	`cpe:2.3:a:rathena:fluxcp::::::::`