CVE-2025-64498 Tuleap has a Cross-Site Request Forgery (CSRF) vulnerability

🗓️ 08 Dec 2025 22:36:26Reported by GitHub_MType

Tuleap CSRF allows changing tracker settings; fixed in community edition 17.0.99.1762444754 and enterprise editions 17.0-2, 16.13-7, 16.12-10.

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2025-64498	8 Dec 202523:29	–	circl
CNNVD	Enalean Tuleap 跨站请求伪造漏洞	8 Dec 202500:00	–	cnnvd
CVE	CVE-2025-64498	8 Dec 202522:36	–	cve
EUVD	EUVD-2025-201838	8 Dec 202522:36	–	euvd
NVD	CVE-2025-64498	8 Dec 202523:15	–	nvd
OSV	CVE-2025-64498 Tuleap has a Cross-Site Request Forgery (CSRF) vulnerability	8 Dec 202522:36	–	osv
Positive Technologies	PT-2025-49606	8 Dec 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-64498	9 Dec 202523:32	–	redhatcve
Vulnrichment	CVE-2025-64498 Tuleap has a Cross-Site Request Forgery (CSRF) vulnerability	8 Dec 202522:36	–	vulnrichment

[
  {
    "vendor": "Enalean",
    "product": "tuleap",
    "versions": [
      {
        "version": "Tuleap Community Edition < 17.0.99.1762444754",
        "status": "affected"
      },
      {
        "version": "Tuleap Enterprise Edition < 17.0-2",
        "status": "affected"
      },
      {
        "version": "Tuleap Enterprise Edition < 16.13-7",
        "status": "affected"
      },
      {
        "version": "Tuleap Enterprise Edition < 16.12-10",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/Enalean/tuleap/security/advisories/GHSA-vxfh-h8p6-p5rg
tuleap	www.tuleap.net/plugins/tracker/
tuleap	www.tuleap.net/plugins/git/tuleap/tuleap/stable
github	www.github.com/Enalean/tuleap/commit/993316dd6a291bb3937cb7a4571eaab0e7d55370

08 Dec 2025 22:36Current

CVSS 3.14.6

EPSS0.00121

CWE-352