CVE-2025-9747

low-risk

Published 2025-08-31

A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrf_protection_controller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor explains: "I ended up switching to a newer CSRF handling using stateless token."

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Koillection

Affected Vendors

Benjaminjonard

References (11)

Patch https://github.com/benjaminjonard/koillection/commit/9ab8562d3f1e953da93fed63f9e...

Exploit https://github.com/benjaminjonard/koillection/issues/1393

Exploit https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086

Exploit https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-321731007...

Release Notes https://github.com/benjaminjonard/koillection/releases/tag/1.7.0

Permissions Required https://vuldb.com/?ctiid.322047

Third Party Advisory https://vuldb.com/?id.322047

Third Party Advisory https://vuldb.com/?submit.640421

Exploit https://github.com/benjaminjonard/koillection/issues/1393

Exploit https://github.com/benjaminjonard/koillection/issues/1393#issue-3347724086

Exploit https://github.com/benjaminjonard/koillection/issues/1393#issuecomment-321731007...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal