CVE-2025-15242

LOW

Phpems < 11.0 - Race Condition

Title source: rule

Description

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit is now public and may be used.

References (4)

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.338632

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.338632

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.725661

[Exploit, Mitigation, Third Party Advisory] https://byebydoggy.github.io/post/2025/1229-phpems-coupon-recharge-race-condition-poc/

Scores

CVSS v3 3.1

EPSS 0.0006

EPSS Percentile 17.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (1)

phpems/phpems < 11.0

Published Dec 30, 2025

Tracked Since Feb 18, 2026