Cyber Resilience

CVE-2025-26206

CriticalPublic PoC

Published: 03 March 2025

Published
03 March 2025
Modified
07 July 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0036 58.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26206 is a critical-severity CSRF (CWE-352) vulnerability in Selldone Storefront. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 41.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-26206 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Selldone Storefront version 1.0. The flaw resides in the index.html component and enables a remote attacker to escalate privileges. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, requirement for low privileges and user interaction, and high impacts across confidentiality, integrity, and availability with a changed scope.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network by crafting a malicious webpage or request that tricks an authenticated user into submitting a forged request to the vulnerable index.html component. User interaction (UI:R) is required, such as clicking a link or loading a page, but successful exploitation allows privilege escalation, potentially granting the attacker elevated access and enabling further compromise with high-impact effects due to the changed scope (S:C).

Advisories and additional details on mitigation are referenced in the Selldone Storefront GitHub repository at https://github.com/selldone/storefront/blob/main/index.html and a dedicated CVE repository at https://github.com/xibhi/CVE-2025-26206. Security practitioners should review these sources for patch information or workarounds specific to the affected component.

EU & UK References

Vulnerability details

Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF vulnerability in public-facing web application (Sell Done Storefront) enables remote exploitation of public-facing application (T1190) to escalate privileges (T1068) by forging requests to perform privileged actions like changing user roles.

CVEs Like This One

CVE-2025-23532Shared CWE-352
CVE-2025-25928Shared CWE-352
CVE-2025-27012Shared CWE-352
CVE-2025-23797Shared CWE-352
CVE-2026-33649Shared CWE-352
CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352

Affected Assets

selldone
storefront
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires session authenticity mechanisms such as anti-CSRF tokens to prevent forged requests from tricking authenticated users into privilege escalation via the vulnerable index.html component.

prevent

SI-10 enforces information input validation, including CSRF tokens or referer checks, to block unauthorized privilege escalation requests exploiting this CSRF vulnerability.

prevent

IA-11 mandates re-authentication for sensitive privilege escalation actions, thwarting CSRF attacks that cannot supply valid credentials.

References