CVE-2025-2835
MEDIUMzhyd oneblog < 2.3.9 - Server-Side Request Forgery via autoLink Function
Title source: llmDescription
A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.301471
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.301471
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.521815
Exploit, Issue Tracking issue-tracking
https://github.com/zhangyd-c/OneBlog/issues/36
Exploit, Issue Tracking exploit
issue-tracking
https://github.com/zhangyd-c/OneBlog/issues/36#issue-2923097259
Scores
CVSS v3
4.3
EPSS
0.0030
EPSS Percentile
21.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
zhyd/oneblog
< 2.3.9
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026