CVE-2025-67031

MEDIUM

ORSEE 3.1.0 - Authenticated Remote Code Execution via Participant Profile Field Processing

Title source: llm

Description

ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field configurations accept values beginning with the prefix "func:" which are passed directly into an eval() call inside tagsets/participant.php and tagsets/options.php.

References (2)

Core 2

Core References

https://github.com/orsee/orsee/archive/refs/tags/orsee_3.1.0.zip

https://medium.com/@erabhishekshroti/cve-2025-67031-remote-code-execution-in-orsee-3-1-0-2bfc71d6d5eb

Scores

CVSS v3 6.3

EPSS 0.0034

EPSS Percentile 25.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-94

Status published

Published May 15, 2026

Tracked Since May 16, 2026