CVE-2025-29993
MEDIUMPowerCMS 4.x < 4.58, 5.x < 5.27, 6.x < 6.6 - HTTP Header Injection
Title source: llmDescription
The affected versions of PowerCMS allow HTTP header injection. This vulnerability can be leveraged to direct the affected product to send email with a tampered URL, such as password reset mail.
References (2)
Core 2
Core References
Third Party Advisory
https://jvn.jp/en/jp/JVN39026557/
Various Sources
https://www.powercms.jp/news/release-powercms-661-528-459.html
Scores
CVSS v3
5.3
EPSS
0.0025
EPSS Percentile
16.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (3)
Alfasado Inc./PowerCMS 4.x series
4.58 and earlier
Alfasado Inc./PowerCMS 5.x series
5.27 and earlier
Alfasado Inc./PowerCMS 6.x series
6.6 and earlier
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026