CVE-2025-15242

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as dif...

low 3.1 CVSS 3.1

Published: Dec 30, 2025

Modified: Feb 24, 2026

Vendor: Phpems

Product: Phpems

Description

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit is now public and may be used.

References

https://byebydoggy.github.io/post/2025/1229-phpems-coupon-recharge-race-condition-poc/
https://vuldb.com/?ctiid.338632
https://vuldb.com/?id.338632
https://vuldb.com/?submit.725661

Related CVEs

CVSS Breakdown

Version	3.1
Score	3.1 / 10
Severity	low

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Weakness (CWE)

CWE-362

Affected Product

Vendor	Phpems
Product	Phpems