Vulnerability Description
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard endpoint, as expected. However, these users can bypass intended access controls by issuing requests to the mass-delete endpoint, allowing them to delete products without proper authorization. This vulnerability allows unauthorized product deletion, leading to potential data loss and business disruption. The issue is fixed in version 0.3.1. No known workarounds exist.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webkul | Unopim | < 0.3.1 |
Related Weaknesses (CWE)
References
- https://github.com/unopim/unopim/commit/c14eebe653aafd8dc713ca729165177e63315989Patch
- https://github.com/unopim/unopim/security/advisories/GHSA-8p2f-fx4q-75cxExploitVendor Advisory
- https://www.youtube.com/watch?v=J_WV8fCXlJMExploit
- https://github.com/unopim/unopim/security/advisories/GHSA-8p2f-fx4q-75cxExploitVendor Advisory
- https://www.youtube.com/watch?v=J_WV8fCXlJMExploit
FAQ
What is CVE-2025-55741?
CVE-2025-55741 is a vulnerability with a CVSS score of 8.1 (HIGH). UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete...
How severe is CVE-2025-55741?
CVE-2025-55741 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55741?
Check the references section above for vendor advisories and patch information. Affected products include: Webkul Unopim.