CVE-2025-13118
6.3 MEDIUMA vulnerability was detected in macrozheng mall-swarm and mall up to 1.0.3
Published: 2025-11-13 · Last updated: 2026-04-29
Severity and scoring
- CVSS
- 6.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-266, CWE-285
Affected products
| Vendor | Product |
|---|---|
| macrozheng | mall, mall-swarm |
Description
A vulnerability was detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this issue is the function paySuccess of the file /order/paySuccess. The manipulation of the argument orderID results in improper authorization. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-13118
- [Exploit reference]https://github.com/Hwwg/cve/issues/14
- [Exploit reference]https://github.com/Hwwg/cve/issues/9
- [Other]https://vuldb.com/?ctiid.332323
- [Other]https://vuldb.com/?id.332323
- [Other]https://vuldb.com/?submit.683345
- [Other]https://vuldb.com/?submit.686531
- [Exploit reference]https://github.com/Hwwg/cve/issues/9
Related CVEs
Same CWE
- CVE-2026-53862 — OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with... (4.2 MEDIUM)
- CVE-2026-53847 — OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators wit... (5.4 MEDIUM)
- CVE-2026-49780 — Customer Privilege Escalation in Dokan <= 5.0.2 versions (8.8 HIGH)
- CVE-2026-49083 — Contributor Privilege Escalation in LatePoint <= 5.5.1 versions (7.5 HIGH)
- CVE-2026-49063 — Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions (7.3 HIGH)