CVE-2025-15242

LOW

Phpems < 11.0 - Race Condition

Title source: rule

Description

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit is now public and may be used.

References (4)

[Exploit, Mitigation, Third Party Advisory] https://byebydoggy.github.io/post/2025/1229-phpems-coupon-recharge-race-condition-poc/

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.338632

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.338632

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.725661

Scores

CVSS v3 3.1

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-362

Status published

Affected Products (1)

phpems/phpems < 11.0

Timeline

Published Dec 30, 2025

Tracked Since Feb 18, 2026