CVE-2025-26201

Critical

Published: 24 February 2025

Published

24 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0052 66.8th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges.

Security Summary

CVE-2025-26201 is a credential disclosure vulnerability in the /staff route of GreaterWMS versions 2.1.49 and earlier. Published on 2025-02-24, it enables remote unauthenticated attackers to bypass authentication and escalate privileges. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is classified under CWE-294.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows bypassing authentication controls, resulting in privilege escalation with high impacts on confidentiality and integrity, though availability remains unaffected.

Mitigation details and further information are available in advisories and resources including the vendor site at http://greaterwms.com, a proof-of-concept at https://github.com/Elymaro/CVE/blob/main/GreaterWMS/CVE-2025-26201.md, and the project issue tracker at https://github.com/GreaterWMS/GreaterWMS/issues/383.

Details

CWE(s): CWE-294

References

http://greaterwms.com
cve@mitre.org
https://github.com/Elymaro/CVE/blob/main/GreaterWMS/CVE-2025-26201.md
cve@mitre.org
https://github.com/GreaterWMS/GreaterWMS/issues/383
cve@mitre.org