CVE-2025-59892 HIGH

CVE-2025-59892: Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server

Vendor Flexense
Product Sync Breeze Enterprise Server
Weakness CWE-352 · CSRF
Published January 28, 2026
Last update January 28, 2026
View on NVD All CVEs

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete commands individually via '/delete_command?sid=', using the 'cid' parameter.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
January 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12072 Disable Content Editor For Specific Template <= 2.0 - Cross-Site Request Forgery to Template Configuration Update CVE-2024-38691 WordPress Metorik plugin <= 1.7.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2024-38765 WordPress Oceanic theme <= 1.0.48 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-5937 MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet <= 3.2.0 - Cross-Site Request Forgery to Settings Reset CVE-2025-23989 WordPress Internal Link Builder plugin <= 1.0 - CSRF to Stored XSS vulnerability