The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., [email protected]), an attacker can assume the session and gain full access to the target user's data and privileges. Also, if the email parameter is left blank, the application defaults to the first user in the list, who is typically the application administrator, resulting in an immediate Privilege Escalation to the highest level.
Conclusion & alert: CVE-2025-64062 is rated Moderate Risk (40.8/100): CVSS High severity, with low exploitation likelihood (EPSS 0.25%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.06% | 0.25% | +0.19% |
| 2 | 2026-05-05 | 0.05% | 0.06% | +0.01% |
| 3 | 2026-04-23 | — | 0.05% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| primakon | project_contract_management | 1.0.18 | cpe:2.3:a:primakon:project_contract_management:1.0.18:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64062.md | Third Party Advisory |
| https://www.primakon.com/rjesenja/primakon-pcm/ | Product |