← voltar
CVE-2025-70841

CVE-2025-70841

CVSS 10 CRITICALEPSS 0.4%CWE-287
Vexday Risk Score
28Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 10EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
03 fev 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.
CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:N/S:C/UI:N
Produtos afetados
n/a · n/a