CVE-2025-15242

Published: Dec 30, 2025Modified: Apr 29, 2026

1.3

Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit is now public and may be used.

Affected (1)

Products: Phpems: Phpems

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phpems Phpems	Up to 11.0

Related CWEs

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (4)

https://byebydoggy.github.io/post/2025/1229-phpems-coupon-recharge-race-condition-poc/

Source: cna@vuldb.com

ExploitMitigationThird Party Advisory

https://vuldb.com/?ctiid.338632

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.338632

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.725661

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

Timeline

No history available yet.