Cyber Posture

CVE-2025-70841

CriticalPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0010 27.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration…

more

parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match
prevent

Directly mitigates exposure of sensitive .env file contents by controlling and reviewing publicly accessible content to exclude restricted information like APP_KEY and database credentials.

SC-14 Public Access Protections good match
prevent

Protects publicly accessible web endpoints to block unauthorized access to sensitive configuration data in files like /script/.env.

CM-6 Configuration Settings good match
prevent

Enforces secure web server configuration settings to restrict access to sensitive files such as .env, preventing unauthenticated disclosure.

Security SummaryAI

CVE-2025-70841 is a critical vulnerability in Dokans Multi-Tenancy Based eCommerce Platform SaaS version 3.9.2, where unauthenticated remote attackers can access sensitive application configuration data by directly requesting the /script/.env file. This exposed Laravel environment file discloses the APP_KEY for encryption, database credentials, SMTP/SendGrid API credentials, and other internal parameters. The multi-tenancy architecture means the issue impacts all tenants sharing the system, with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) and mapped to CWE-287 (Improper Authentication).

Any unauthenticated attacker with network access can exploit this by sending a simple HTTP GET request to the exposed endpoint, retrieving the full contents of the .env file without authentication or user interaction. Successful exploitation enables complete system compromise, including forging session tokens to bypass authentication, directly accessing the database for all tenant data, and taking over email infrastructure via stolen credentials.

Advisories and further details are documented in the product page on CodeCanyon at https://codecanyon.net/item/dokans-multitenancy-based-ecommerce-platform-saas/31122915 and a dedicated security advisory on GitHub at https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-70841.md, published on 2026-02-03.

Details

CWE(s)
CWE-287

Affected Products

amcoders
dokans
3.9.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
attack.mitre.org →
Why these techniques?

CVE exposes .env config file via unauthenticated HTTP GET on public-facing web app (T1190), revealing credentials in files (T1552.001) and Laravel APP_KEY for forging web cookies/sessions (T1606.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References