CVE-2025-13787

low-risk

Published 2025-11-30

A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Zentao

Affected Vendors

Zentao

References (8)

Exploit https://github.com/ez-lbz/ez-lbz.github.io/issues/1

Exploit https://github.com/ez-lbz/ez-lbz.github.io/issues/1#issuecomment-3540423868

Permissions Required https://vuldb.com/?ctiid.333791

Third Party Advisory https://vuldb.com/?id.333791

Third Party Advisory https://vuldb.com/?submit.689892

Product https://www.zentao.net/extension-buyext-1601-download.html

Exploit https://github.com/ez-lbz/ez-lbz.github.io/issues/1

Exploit https://github.com/ez-lbz/ez-lbz.github.io/issues/1#issuecomment-3540423868

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal