CVE-2018-25391 in HaPe PKHinfo

Summary

by MITRE • 05/29/2026

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

VulnCheck

Reservation

05/29/2026

Disclosure

05/29/2026

Moderation

accepted

Entry

VDB-367248

CPE

ready

CWE

CWE-862 (confirmed)

Exploit

Download

CVSS

7.5 (CNA)

EPSS

0.00034

KEV

Activities

very low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2018-25391
NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-25391
CVE Details	https://www.cvedetails.com/cve/CVE-2018-25391/

◂ Previous Overview Next ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!