Aggregates CVE and security vulnerability intelligence across all primakon-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk path handling, with potential vendor impact file overwrite across vendor surface software deployment and vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-64067 | Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to anothe | [email protected] | 5.3 | 0.20% | 2025-11-25 | 2026-06-17 |
| CVE-2025-64065 | The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitrary user, including application Administrators. This is due to a Broken Function Level Authorization failure (the function doesn't check the caller' | [email protected] | 8.8 | 0.25% | 2025-11-25 | 2026-06-17 |
| CVE-2025-64064 | Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges. | [email protected] | 8.8 | 0.25% | 2025-11-25 | 2026-06-17 |
| CVE-2025-64063 | Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API e | [email protected] | 9.8 | 0.33% | 2025-11-25 | 2026-06-17 |
| CVE-2025-64066 | Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. | [email protected] | 8.6 | 0.16% | 2025-11-25 | 2026-06-17 |
| CVE-2025-64062 | The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., [email protected]), an attacker can assume the session and gain full access to the target user's data and privileges. Also, if the email parameter is left blank, the application defaults to the first user in the list, who is typically the application administrator, | [email protected] | 8.8 | 0.25% | 2025-11-25 | 2026-06-17 |
| CVE-2025-64061 | Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a GET request to this endpoint and retrieve a complete, unfiltered list of all registered application users. Crucially, the API response body for this endpoint includes password hashes. | [email protected] | 4.3 | 0.18% | 2025-11-25 | 2026-06-17 |