CVE-2025-13789 MEDIUM

CVE-2025-13789: ZenTao model.php makeRequest server-side request forgery

Vendor N/A
Product ZenTao
Weakness CWE-918 · SSRF
Published November 30, 2025
Last update December 1, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 21.7.6 mitigates this issue. It is suggested to upgrade the affected component.

Key dates

02Disclosure timeline

November 30, 2025 CVE published
December 1, 2025 Record updated