CVE-2025-15244

Published: Dec 30, 2025Modified: Apr 29, 2026

2.9

Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability has been found in PHPEMS up to 11.0. This impacts an unknown function of the component Purchase Request Handler. The manipulation leads to race condition. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used.

Affected (1)

Products: Phpems: Phpems

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phpems Phpems	Up to 11.0

Related CWEs

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (4)

https://byebydoggy.github.io/post/2025/1229-phpems-points-race-condition-poc/

Source: cna@vuldb.com

ExploitMitigationThird Party Advisory

https://vuldb.com/?ctiid.338634

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.338634

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.725727

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

Timeline

No history available yet.