CVE-2025-66385

Received

Published: 28 Nov 2025, 07:15

Last modified:28 Nov 2025, 07:15

Vulnerability Summary

Overall Risk

Medium Risk

38/100

CVSS Score

9.4 CRITICAL

CVSS v4.0 (CVE)

EPSS Score

0.04% INFO

0% probability 0.00%

CISA KEV

Not listed

Ransomware

No reports

Exploits

None found

Dark Web

Not detected

UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request.

Source Identifier: cve@mitre.org

CVSS	Source	Severity	Exploit.	Impact	Vector
v4.0	cve@mitre.org	9.4 CRITICAL	NA	NA	CVSS:4.0/AV:N/AC:L/AT:N/P...
v3.1	n/a
v3.0	n/a
v2.0	n/a

0.04%

Current Score

0.00%

10%ile

Percentile Rank

+0.01%

Loading chart...

External Control of Assumed-Immutable Web Parameter CWE-472

Description:The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Not listed in CISA Known Exploited Vulnerabilities catalog.

No dark web activity detected for this vulnerability.

No known public exploit code indexed (as of 28 Nov 2025, 07:15).

Exploitation status can change quickly once PoC code appears.

No affected systems information available.

URL	Tags	Source
https://github.com/cerebrate-project/cerebrate/commit/c9bfa90abc85d4a20a9cc2f282959b72bef829bb	-	cve@mitre.org
https://github.com/cerebrate-project/cerebrate/compare/v1.29...v1.30	-	cve@mitre.org
https://vulnerability.circl.lu/api/vulnerability/gcve-1-2025-0017	-	cve@mitre.org