VYPR
High severityOSV Advisory· Published Oct 29, 2025· Updated Apr 15, 2026

CVE-2025-62797

CVE-2025-62797

Description

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authorized solely by the session cookie without per-request anti-CSRF tokens or robust Origin/Referer validation. An attacker who can lure a logged-in user to an attacker-controlled page can cause that user to perform sensitive actions without their intent. This vulnerability is fixed with commit e3f130c.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Rathena/FluxcpOSV2 versions
    v1.3.0+ 1 more
    • (no CPE)range: v1.3.0
    • (no CPE)

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.