CVE-2025-34467

MEDIUM

Zwiicms < 13.7.00 - Incorrect Authorization

Title source: rule

Description

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.

References (3)

[Product] https://github.com/fredtempez/ZwiiCMS

[Release Notes] https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00

[Third Party Advisory] https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages

Scores

CVSS v3 4.3

EPSS 0.0004

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863 CWE-667

Status published

Products (1)

zwiicms/zwiicms < 13.7.00

Published Dec 31, 2025

Tracked Since Feb 18, 2026