CVE-2025-1782

critical

Published 2025-04-14 · Modified 2026-05-26

CVSS v3

9.9

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2

—

VIR risk

9.9

Description

In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker to be authenticated with a valid user account.

Predictions

Exploit likelihood

98%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://www.ifax.com/security/CVE-2025-1782.html

CWEs

CWE-94

Verify integrity in audit chain (admin only). AS-IS.