CVE-2019-25447 MEDIUM

CVE-2019-25447: OrientDB 3.0.17 Cross-Site Request Forgery

Vendor Orientdb
Product OrientDB
Weakness CWE-352 · CSRF
Published February 20, 2026
Last update April 7, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface.

Key dates

02Disclosure timeline

February 20, 2026 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE