CVE-2025-55741
HIGHUnoPim < 0.3.1 - Unauthenticated Improper Access Control via Mass-Delete Endpoint
Title source: llmDescription
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard endpoint, as expected. However, these users can bypass intended access controls by issuing requests to the mass-delete endpoint, allowing them to delete products without proper authorization. This vulnerability allows unauthorized product deletion, leading to potential data loss and business disruption. The issue is fixed in version 0.3.1. No known workarounds exist.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/unopim/unopim/security/advisories/GHSA-8p2f-fx4q-75cx
Patch x_refsource_misc
https://github.com/unopim/unopim/commit/c14eebe653aafd8dc713ca729165177e63315989
Exploit x_refsource_misc
https://www.youtube.com/watch?v=J_WV8fCXlJM
Scores
CVSS v3
8.1
EPSS
0.0039
EPSS Percentile
30.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-284
CWE-862
Status
published
Products (2)
unopim/unopim
0 - 0.3.1Packagist
webkul/unopim
< 0.3.1
Published
Aug 22, 2025
Tracked Since
Feb 18, 2026