CVE-2025-62797 – CSRF in FluxCP account endpoints allows account takeover / state-changing actions

CVE ID : CVE-2025-62797

Published : Oct. 29, 2025, 6:15 p.m. | 1 hour, 8 minutes ago

Description : FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authorized solely by the session cookie without per-request anti-CSRF tokens or robust Origin/Referer validation. An attacker who can lure a logged-in user to an attacker-controlled page can cause that user to perform sensitive actions without their intent. This vulnerability is fixed with commit e3f130c.

Severity: 8.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…