CVE-2025-10764 MEDIUM

CVE-2025-10764: SeriaWei ZKEACMS Event Action System PendingTaskController.cs Edit server-side request forgery

Vendor Seriawei
Product ZKEACMS
Weakness CWE-918 · SSRF
Published September 21, 2025
Last update September 22, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was identified in SeriaWei ZKEACMS up to 4.3. This affects the function Edit of the file src/ZKEACMS.EventAction/Controllers/PendingTaskController.cs of the component Event Action System. Such manipulation of the argument Data leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

September 21, 2025 CVE published
September 22, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-22817 Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products CVE-2026-27808 Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API CVE-2024-13904 Platform.ly for WooCommerce <= 1.1.6 - Unauthenticated Blind Server-Side Request Forgery CVE-2025-3254 xujiangfei admintwo add server-side request forgery CVE-2025-6242 Vllm: server side request forgery (ssrf) in mediaconnector