CVE-2025-70841 CRITICAL

CVE-2025-70841

Vendor N/A
Product n/a
Published February 3, 2026
Last update February 4, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:N/S:C/UI:N

What the vulnerability does

01Description

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
February 4, 2026 Record updated