CVE-2025-11135

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions pmTicket Project-Management-Software versions prior to 2ef379da2075f4761a2c9029cf91d073474e7486

Description A flaw exists in pmTicket Project-Management-Software related to the deserialization of data. The issue is located in the loadLanguage function within the classes/class.database.php file, part of the Cookie Handler component. Manipulation of the user id argument can trigger this deserialization. The attack can be performed remotely. The exploit is publicly available. The software uses continuous delivery with rolling releases, and the vendor did not respond to early disclosure attempts.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Deserialization of Untrusted Data

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-20

Related Identifiers

CVE-2025-11135

Affected Products

Pmticket Project-Management-Software

CVE-2025-11135

Weakness Enumeration

Related Identifiers

Affected Products

References · 9