EUVD-2025-206489

🗓️ 28 Jan 2026 11:52:15Reported by EUVDType

CSRF flaw in Sync Breeze Enterprise Server 10.4.18 and Disk Pulse Enterprise 10.4.18 enables authenticated users to change credentials or create users via POST to /setup_login?sid=, affecting username, password, and cpassword.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2025-59891	28 Jan 202611:52	–	attackerkb
Circl	CVE-2025-59891	28 Jan 202614:34	–	circl
CNNVD	Flexense Sync Breeze Enterprise Server and Flexense Disk Pulse Enterprise have vulnerabilities related to cross-site request forgeing attacks.	28 Jan 202600:00	–	cnnvd
CVE	CVE-2025-59891	28 Jan 202611:52	–	cve
Cvelist	CVE-2025-59891 Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server	28 Jan 202611:52	–	cvelist
NVD	CVE-2025-59891	28 Jan 202612:15	–	nvd
Positive Technologies	PT-2026-5099	28 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2025-59891	29 Jan 202615:18	–	redhatcve
Vulnrichment	CVE-2025-59891 Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server	28 Jan 202611:52	–	vulnrichment

[
  {
    "enisaIdVendor": [
      {
        "id": "92d26c7c-42d9-3eb6-a0ad-33a7ab93e4cf",
        "vendor": {
          "name": "Flexense"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "13d6a26c-ba22-341f-86c6-c32d15515a9f",
        "product": {
          "name": "Disk Pulse Enterprise"
        },
        "product_version": "v10.4.18"
      },
      {
        "id": "e950c784-dfe4-3872-8918-26c2a4c51c5a",
        "product": {
          "name": "Sync Breeze Enterprise Server"
        },
        "product_version": "v10.4.18"
      }
    ]
  }
]

Source	Link
incibe	www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products

28 Jan 2026 15:46Current

5.9Medium risk

Vulners AI Score5.9

CVSS 48.5

EPSS0.00034

SSVC