CVE-2025-60949

Census CSWeb 8.0.1 allows "app/config" to be reachable via HTTP in some deployments. A remote, unauthenticated attacker could send requests to configuration files and obtain leaked secrets. Fixed in 8.1.0 alpha.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/csprousers/csweb/commit/eba0b59a243390a1a4f9524cce6dbc0314bf0d91	Patch
https://github.com/hx381/cspro-exploits	Third Party Advisory
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json	Broken Link
https://www.cve.org/CVERecord?id=CVE-2025-60949	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:csprousers:csweb:8.0.1:*:*:*:*:*:*:*

History

25 Mar 2026, 21:06

Type	Values Removed	Values Added
CPE		cpe:2.3:a:csprousers:csweb:8.0.1:::::::*
First Time		Csprousers Csprousers csweb
References	~~() https://github.com/csprousers/csweb/commit/eba0b59a243390a1a4f9524cce6dbc0314bf0d91 -~~	() https://github.com/csprousers/csweb/commit/eba0b59a243390a1a4f9524cce6dbc0314bf0d91 - Patch
References	~~() https://github.com/hx381/cspro-exploits -~~	() https://github.com/hx381/cspro-exploits - Third Party Advisory
References	~~() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json -~~	() https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json - Broken Link
References	~~() https://www.cve.org/CVERecord?id=CVE-2025-60949 -~~	() https://www.cve.org/CVERecord?id=CVE-2025-60949 - Third Party Advisory
Summary		(es) Census CSWeb 8.0.1 permite que 'app/config' sea accesible a través de HTTP en algunas implementaciones. Un atacante remoto y no autenticado podría enviar solicitudes a archivos de configuración y obtener secretos filtrados. Corregido en 8.1.0 alpha.

23 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 22:16

Updated : 2026-03-25 21:06

NVD link : CVE-2025-60949

Mitre link : CVE-2025-60949

CVE.ORG link : CVE-2025-60949

JSON object : View

Products Affected

csprousers

csweb

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

9.1 /10