CVE-2025-59945

HIGH

sysreptor 2024.74-2025.83 - Authenticated Privilege Escalation via Self-Assigned Project Admin Permission

Title source: llm

Description

SysReptor is a fully customizable pentest reporting platform. In versions from 2024.74 to before 2025.83, authenticated and unprivileged (non-admin) users can assign the is_project_admin permission to their own user. This allows users to read, modify and delete pentesting projects they are not members of and are therefore not supposed to access. This issue has been patched in version 2025.83.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Syslifters/sysreptor/security/advisories/GHSA-r6hm-59cq-gjg6

Patch x_refsource_misc

https://github.com/Syslifters/sysreptor/commit/de8b5d89d0644479ee0da0a113c6bcc2436ba7f4

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0030

EPSS Percentile 21.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-266

Status published

Products (1)

syslifters/sysreptor 2024.74 - 2025.83

Published Sep 27, 2025

Tracked Since Feb 18, 2026