CVE-2025-3026

EPSS 0.48%

Improper Neutralization of Special Elements vulnerability in EJBCA

Published: 10/10/2025Modified: 10/10/2025

Also known as:BIT-ejbca-2025-3026

Description

The vulnerability exists in the EJBCA service, version 8.0 Enterprise. Not tested in higher versions. By modifying the ‘Host’ header in an HTTP request, it is possible to manipulate the generated links and thus redirect the client to a different base URL. In this way, an attacker could insert his own server for the client to send HTTP requests, provided he succeeds in exploiting it.

Affected packages (1)

Bitnami/ejbca>= 8.0.0, < 9.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References (2)

WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-3026
WEBhttps://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ejbca