CVE-2025-11636 MEDIUM

CVE-2025-11636: Tomofun Furbo 360 Account server-side request forgery

Vendor Tomofun

Product Furbo 360

Weakness CWE-918 · SSRF

Published October 12, 2025

Last update October 16, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

What the vulnerability does

01Description

A security vulnerability has been detected in Tomofun Furbo 360 up to FB0035_FW_036. This issue affects some unknown processing of the component Account Handler. Such manipulation leads to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

October 12, 2025 CVE published

October 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-11636

Related vulnerabilities

04Related CVE

CVE-2025-47483 WordPress Easy Replace Image plugin <= 3.5.0 - Server Side Request Forgery (SSRF) Vulnerability CVE-2020-7328 Server-Side Request Forgery (SSRF) in MVISION Endpoint ePO extension CVE-2024-53738 WordPress Asset CleanUp: Page Speed Booster plugin <=1.3.9.8 - Server Side Request Forgery (SSRF) vulnerability CVE-2023-28112 Discourse's SSRF protection missing for some FastImage requests CVE-2024-51980 Unauthenticated Server Side Request Forgery (SSRF) via WS-Addressing affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.