CVE-2025-10764

Name of the Vulnerable Software and Affected Versions SeriaWei ZKEACMS versions prior to 4.4

Description A vulnerability exists in SeriaWei ZKEACMS up to version 4.3. The issue affects the Edit function within the src/ZKEACMS.EventAction/Controllers/PendingTaskController.cs file of the Event Action System component. Manipulation of the Data argument can lead to server-side request forgery. The attack can be performed remotely. The exploit is publicly available.

Recommendations Update SeriaWei ZKEACMS to version 4.4 or later. As a temporary workaround, restrict access to the Edit function within the src/ZKEACMS.EventAction/Controllers/PendingTaskController.cs file. Avoid using the Data parameter in the Edit function until the issue is resolved.