{"id":"CVE-2025-10471","summary":"ZKEACMS MediaController.cs Proxy server-side request forgery","details":"A vulnerability was detected in ZKEACMS 4.3. Impacted is the function Proxy of the file src/ZKEACMS/Controllers/MediaController.cs. Performing manipulation of the argument url results in server-side request forgery. It is possible to initiate the attack remotely. The exploit is now public and may be used.","modified":"2026-07-15T01:49:12.054695412Z","published":"2025-09-15T16:32:07.024Z","database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"4.3"},{"last_affected":"4.3"}]}],"cna_assigner":"VulDB","cwe_ids":["CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/10xxx/CVE-2025-10471.json"},"references":[{"type":"WEB","url":"https://github.com/August829/Yu/blob/main/58ead8e7e08bfb022.md"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/10xxx/CVE-2025-10471.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-10471"},{"type":"ADVISORY","url":"https://vuldb.com/?id.323890"},{"type":"ADVISORY","url":"https://vuldb.com/?submit.648387"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.323890"},{"type":"EVIDENCE","url":"https://github.com/August829/Yu/blob/main/58ead8e7e08bfb022.md#poc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/seriawei/zkeacms","events":[{"introduced":"d4ff093d39804fef59120286b2525d60864b0887"},{"last_affected":"d4ff093d39804fef59120286b2525d60864b0887"}],"database_specific":{"extracted_events":[{"introduced":"4.3"},{"last_affected":"4.3"}],"source":"CPE_STRING","cpe":"cpe:2.3:a:zkea:zkeacms:4.3:*:*:*:*:*:*:*"}}],"versions":["4.3","v4.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10471.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}]}