CVE-2025-29036

low-risk
Published 2025-04-01

An issue in hackathon-starter v.8.1.0 allows a remote attacker to escalate privileges via the user.js component.

Do I need to act?

-
0.35% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
LOCAL / LOW complexity

References (3)

https://github.com/HypeDuke/vulnerable-research/blob/main/CVE-2025-29036
https://github.com/sahat/hackathon-starter/issues/1326
https://github.com/sahat/hackathon-starter/pull/1328
25
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal