cbcvebase.
CVE-2025-1782
published 2025-04-14

CVE-2025-1782: In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an…

PriorityP263critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.46%
36.3th percentile
In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker to be authenticated with a valid user account.

Affected

6 ranges
VendorProductVersion rangeFixed in
ifaxavantfax< 3.3.*3.3.*
ifaxavantfax>= 3.4.0 < 3.4.13.4.1
ifaxhylafax< 1.1.*1.1.*
ifaxhylafax>= 1.2.0 < 1.2.11.2.1
ifaxhylafax>= 1.3.0 < 1.3.21.3.2
rustfsrustfs>= 1.0.0-alpha.13 < 1.0.0-alpha.781.0.0-alpha.78
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.