PT-2026-27212 · Unknown · Census Csweb
Published
2026-03-23
·
Updated
2026-03-24
·
CVE-2025-60949
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Census CSWeb versions prior to 8.1.0 alpha
Description
The software allows the
app/config directory to be accessed via HTTP in certain setups. An unauthenticated remote attacker can request configuration files and potentially obtain sensitive information, such as secrets. The vulnerable endpoint is /app/config. The exposed data may include database credentials, API keys, and session secrets.Recommendations
Update to version 8.1.0 alpha or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Census Csweb