CVE-2025-58052

high

Published 2025-12-19 · Modified 2026-04-29

CVSS v3

8.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v2

—

VIR risk

8.1

Description

Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue.

Predictions

Exploit likelihood

88%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx

Mitigation details

Source: GitHub Security Advisory · View original ↗ · CC-BY-4.0

Application impact

Vendor	Product	Versions	Fixed
galette	galette	`{"endExcluding":"1.2.0"}`	`1.2.0`

References

https://github.com/galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx

CWEs

CWE-863

Verify integrity in audit chain (admin only). AS-IS.