CVE-2025-53922 LOW

CVE-2025-53922: Galette has access control bypass

Vendor Galette

Product galette

Weakness CWE-863 · Incorrect authorization

Published December 19, 2025

Last update December 19, 2025

View on NVD All CVEs

CVSS base score

1.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue.

Key dates

02Disclosure timeline

December 19, 2025 CVE published

December 19, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-53922 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

04Related CVE

CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read CVE-2023-49734 Apache Superset: Privilege Escalation Vulnerability CVE-2026-35555 Subnet Solutions PowerSYSTEM Center Incorrect Authorization CVE-2024-39690 Capsule tenant owner with "patch namespace" permission can hijack system namespaces CVE-2026-44882 Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization