CVE-2025-13282

Name of the Vulnerable Software and Affected Versions TenderDocTransfer (affected versions not specified)

Description TenderDocTransfer, developed by Chunghwa Telecom, has an issue that allows for arbitrary file deletion. The application establishes a local web server and offers APIs for communication. A lack of CSRF protection in these APIs enables unauthenticated remote attackers to execute actions through phishing. One of the APIs also contains an Absolute Path Traversal flaw, potentially allowing attackers to delete arbitrary files on the user’s system. The API endpoints are vulnerable to exploitation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.