CVE-2025-62368

CVE-2025-62368 is a remote code execution vulnerability in the Taiga API of the open source project management platform Taiga, stemming from unsafe deserialization of untrusted data (CWE-502). It affects Taiga versions 6.8.3 and earlier. The vulnerability has a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation across confidentiality, integrity, and availability.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as clicking a malicious link or importing crafted data via the API. Successful exploitation changes scope (S:C) and grants remote code execution on the server, enabling full compromise including data exfiltration, modification, or denial of service.

The Taiga security advisory at https://github.com/taigaio/taiga-back/security/advisories/GHSA-cpcf-9276-fwc5 confirms the issue and states it is fixed in version 6.9.0. Security practitioners should upgrade to 6.9.0 or later and review access controls for the Taiga API to mitigate risks from authenticated users.