CVE-2018-25334

medium

Published 2026-05-17 · Modified 2026-05-18

CVSS v3

5.4

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v2

—

VIR risk

5.4

Description

Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but an attacker can use the hashtag parameter to inject an encoded payload and bypass the CSRF protection, allowing for unauthorized changes to user data. This can be exploited by tricking a user into submitting a crafted form or by using a script to obtain and set the CSRF token.

Predictions

Exploit likelihood

64%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://bylancer.com
https://www.exploit-db.com/exploits/44685
https://www.vulncheck.com/advisories/zechat-cross-site-request-forgery-csrf-via-hashtag-parameter

CWEs

CWE-352

Verify integrity in audit chain (admin only). AS-IS.