{"id":"CVE-2025-60319","details":"PerfreeBlog v4.0.11 is vulnerable to Server-Side Request Forgery due to a missing authorization check in the uploadAttachByUrl API endpoint (AttachController.java).","modified":"2026-03-14T12:44:34.551816Z","published":"2025-10-30T17:15:38.800Z","references":[{"type":"FIX","url":"https://github.com/PerfreeBlog/PerfreeBlog/commit/103c79165e3a41a1729188fdc8a1e90c97c0a06d"},{"type":"FIX","url":"https://github.com/PerfreeBlog/PerfreeBlog/issues/20"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/perfree/perfreeblog","events":[{"introduced":"0"},{"last_affected":"12ba053502aa156ba957624e54f76e6cd9d6d4f9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0.11"}]}},{"type":"GIT","repo":"https://github.com/perfreeblog/perfreeblog","events":[{"introduced":"0"},{"fixed":"103c79165e3a41a1729188fdc8a1e90c97c0a06d"}]}],"versions":["V1.0.0","V1.0.0-Beta","V1.0.1-Beta","V1.0.3","V1.1.0","V1.2.0","V1.2.1","V1.2.2","v1.0.1","v1.0.2","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.3.0","v1.3.1","v1.3.2","v2.0.0","v2.1.0","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.3.0","v2.3.1","v3.0.0","v3.1.0","v3.1.1","v3.1.2","v4.0.0","v4.0.0-beta.1.01","v4.0.1","v4.0.11"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60319.json","vanir_signatures":[{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["266826684014565004970362132803478369884","230121127978011358634137470204310604400","242302259992378236722321911493198835498","31410481210019923550786133476901923837"]},"signature_version":"v1","target":{"file":"perfree-system/perfree-system-biz/src/main/java/com/perfree/controller/auth/attach/AttachController.java"},"signature_type":"Line","source":"https://github.com/perfreeblog/perfreeblog/commit/103c79165e3a41a1729188fdc8a1e90c97c0a06d","id":"CVE-2025-60319-8e51dd1a"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"}]}