CVE-2025-70841

Name of the Vulnerable Software and Affected Versions Dokans Multi-Tenancy Based eCommerce Platform version 3.9.2

Description The platform allows unauthenticated remote attackers to obtain sensitive application configuration data by directly requesting the '/script/.env' file. This file contains the Laravel application encryption key (APP KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters. Exploitation can lead to complete system compromise, including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, all tenants in the system are affected.

Recommendations Update to a newer version that contains a fix for this vulnerability.