CVE-2025-58052

high

Published 2025-12-19 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4 NEW

2.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

VIR risk

8.1

Description

Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue.

Predictions

Exploit likelihood

88%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: GitHub Security Advisory · View original ↗ · CC-BY-4.0

Application impact

Vendor	Product	Versions	Fixed
galette	galette	`{"endExcluding":"1.2.0"}`	`1.2.0`

References

https://github.com/galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx

CWEs

CWE-863

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.