CVE-2025-6762

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: diyhi bbs versions up to 6.8

Description: A critical issue has been discovered that affects the getUrl function of the /admin/login file in the HTTP Header Handler component. The manipulation of the Host argument leads to server-side request forgery, which can be initiated remotely.

Recommendations: For versions up to 6.8, consider restricting access to the /admin/login endpoint until a patch is available. As a temporary workaround, consider disabling the getUrl function of the HTTP Header Handler component to minimize the risk of exploitation. Avoid using the Host argument in the affected HTTP Header Handler component until the issue is resolved.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2025-6762

Affected Products

Diyhi Bbs

CVE-2025-6762

Weakness Enumeration

Related Identifiers

Affected Products

References · 10