CVE-2025-23044

CVE-2025-23044 is a medium-severity vulnerability in Pwndoc Project Pwndoc with a CVSS 3.x base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-352.

Key facts

Description

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.

Frequently asked questions

What is CVE-2025-23044?
PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf1703ce6296d62112e85aa995 patches the issue.
How severe is CVE-2025-23044?
CVE-2025-23044 has a CVSS 3.x base score of 6.8, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2025-23044 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (15th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-23044?
CVE-2025-23044 affects Pwndoc Project Pwndoc. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-23044?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-23044 have an EU (EUVD) identifier?
Yes. CVE-2025-23044 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-3092.
When was CVE-2025-23044 published?
CVE-2025-23044 was published on 2025-01-20 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Pwndoc Project Pwndoc

All CVEs affecting Pwndoc Project Pwndoc →

Other CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities

Browse all CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities →