CVE-2025-11436

high

Published 2025-10-08 · Modified 2026-04-29

CVSS v3

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2

6.5

VIR risk

8.8

Description

A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cna@vuldb.com — https://github.com/JhumanJ/OpnForm/pull/900/commits/95c3e23856465d202e6aec10bdb6ee0688b5305a

Application impact

Vendor	Product	Versions	Fixed
jhumanj	opnform	`{"endIncluding":"1.9.3"}`

References

https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.dm5ttliupfqn
https://github.com/JhumanJ/OpnForm/pull/900/commits/95c3e23856465d202e6aec10bdb6ee0688b5305a
https://vuldb.com/?ctiid.327373
https://vuldb.com/?id.327373
https://vuldb.com/?submit.666877

CWEs

CWE-284 CWE-434

Verify integrity in audit chain (admin only). AS-IS.