CVE-2025-15390

MEDIUM

Phpgurukul Small Crm < 4.0 - Incorrect Authorization

Title source: rule

Description

A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Exploits (1)

github

by rsecroot · poc

https://github.com/rsecroot/CVE-2025-15390

References (5)

[Exploit, Third Party Advisory] https://github.com/rsecroot/Small-Customer-Relationship-Management-CRM-in-PHP/blob/main/Broken%20Access%20Control.md

View Exploit ZIP pw:eip

[Product] https://phpgurukul.com/

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.339151

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.339151

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.727430

Scores

CVSS v3 6.3

EPSS 0.0002

EPSS Percentile 4.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-863 CWE-862

Status published

Products (1)

phpgurukul/small_crm < 4.0

Published Dec 31, 2025

Tracked Since Feb 18, 2026