Home

Description

A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request.

PUBLISHED Reserved 2025-09-26 | Published 2025-11-12 | Updated 2025-11-13 | Assigner mitre

References

github.com/xuxueli/xxl-api/issues/64

gist.github.com/LockeTom/77fb982a49dee956101810bbefa09fb4

cve.org (CVE-2025-60645)

nvd.nist.gov (CVE-2025-60645)

Download JSON