CVE-2025-13796

MEDIUM

deco-cx <0.120.1 - SSRF

Title source: llm

Description

A security vulnerability has been detected in deco-cx apps up to 0.120.1. Affected by this vulnerability is the function AnalyticsScript of the file website/loaders/analyticsScript.ts of the component Parameter Handler. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.120.2 addresses this issue. It is suggested to upgrade the affected component.

Exploits (2)

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-13796

View Code ZIP pw:eip

nomisec WORKING POC

by 0xcucumbersalad · poc

https://github.com/0xcucumbersalad/CVE-2025-13796-PoC

View Code ZIP pw:eip

References (5)

[Issue Tracking] https://github.com/deco-cx/apps/pull/1360

[Release Notes] https://github.com/deco-cx/apps/releases/tag/0.120.2

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.333807

[Permissions Required, VDB Entry] https://vuldb.com/?id.333807

[Permissions Required, VDB Entry] https://vuldb.com/?submit.691837

Scores

CVSS v3 6.3

EPSS 0.0007

EPSS Percentile 21.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-918

Status published

Products (3)

deco-cx/apps 0.120.0

deco-cx/apps 0.120.1

deco-cx/apps 0.120.2

Published Dec 01, 2025

Tracked Since Feb 18, 2026