CVE-2025-62368

CRITICAL

taiga-back < 6.9.0 - Remote Code Execution via Unsafe Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-62368. PoCs published by rootjog, whotwagner, including Metasploit module exploits/multi/http/taiga_tribe_gig_unserial.

AI-analyzed exploit summary This Metasploit module exploits a Python deserialization vulnerability in Taiga.io's `tribe_gig` parameter to achieve remote code execution. It authenticates, creates a malicious userstory, and executes arbitrary commands via a crafted payload.

Description

Taiga is an open source project management platform. In versions 6.8.3 and earlier, a remote code execution vulnerability exists in the Taiga API due to unsafe deserialization of untrusted data. This issue is fixed in version 6.9.0.

Exploits (1)

metasploit WORKING POC EXCELLENT
by rootjog, whotwagner · rubypocpython
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/taiga_tribe_gig_unserial.rb

This Metasploit module exploits a Python deserialization vulnerability in Taiga.io's `tribe_gig` parameter to achieve remote code execution. It authenticates, creates a malicious userstory, and executes arbitrary commands via a crafted payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Taiga.io (version not specified, but CVE-2025-62368)
Auth required
Prerequisites: Valid Taiga.io credentials · Project with kanban activated · Network access to the Taiga.io API
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.0
EPSS 0.0070
EPSS Percentile 48.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (1)
taigaio/taiga-back < 6.9.0
Published Oct 28, 2025
Tracked Since Feb 18, 2026