CVE-2025-10209 MEDIUM

CVE-2025-10209: Papermerge DMS Authorization Token improper authorization

Vendor Papermerge
Product DMS
Weakness CWE-285
Published September 10, 2025
Last update September 10, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security flaw has been discovered in Papermerge DMS up to 3.5.3. This issue affects some unknown processing of the component Authorization Token Handler. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

September 10, 2025 CVE published
September 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-14206 SourceCodester Online Student Clearance System Fee Table delete-fee.php improper authorization CVE-2021-28501 An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration. CVE-2024-39419 A user without ship permissions can ship the orders CVE-2023-47109 PrestaShop blockreassurance BO User can remove any file from server when adding a and deleting a block CVE-2021-24193 Visitor Traffic Real Time Statistics < 2.12 - Arbitrary Plugin Installation/Activation via Low Privilege User