CVE-2025-29993

Summary

The affected versions of PowerCMS allow HTTP header injection. This vulnerability can be leveraged to direct the affected product to send email with a tampered URL, such as password reset mail.

Affected Software

VendorProductVersion RangeStatus
Alfasado Inc.PowerCMS 6.x series6.6 and earlieraffected
Alfasado Inc.PowerCMS 5.x series5.27 and earlieraffected
Alfasado Inc.PowerCMS 4.x series4.58 and earlieraffected

Weaknesses

  • CWE-74: Improper neutralization of special elements in output used by a downstream component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References