CRITICAL🇵🇱 Wersja polska

CVE-2025-70046

CVSS 9.8v3.1pub. 2026-03-09upd. 2026-03-13

An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master.

🤖 AI Analysis
How it works

The CWE-829 vulnerability (Inclusion of Functionality from Untrusted Control Sphere) occurs when an application downloads and executes code or resources from external, untrusted sources without proper verification of their integrity or origin. An attacker can influence which code is loaded by the application by substituting their own malicious functionality. The attack vector is network-based (AV:N), requires no authentication (PR:N) and no user interaction (UI:N), which means it is possible to exploit fully remotely and automatically.

Impact

Successful exploitation of the vulnerability may lead to complete breach of system confidentiality, integrity, and availability — attackers may gain unauthorized access to data, modify application content, or cause it to become unavailable.

Mitigation & patch

Patches available from the vendor should be applied according to references. It is recommended to monitor the project repository at https://github.com/Miazzy/oa-front-service and analyze the indicated proof-of-concept at https://gist.github.com/zcxlighthouse/a29d9de46c4eac2de5c4d5a7b6c6c532 to assess the threat and implement appropriate remedial measures.

Who is affected

Miazzy oa-front-service, master branch (specific versions indicated in vendor references)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Miazzy Oa Font Service

    APP
    Miazzy
    master
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References