VDB

CVE-2025-11699

CVE-2025-11699 PUBLISHED CVSS 7.099999904632568 HIGH

nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.

EPSS 0.03% · 9.5th percentile

Risk Scores

CVSS 3.1
7.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Score
0.03%
9.5th percentile

Affected Products

VendorProductVersions
nopSolutionsnopCommerce4.80.3, 4.10
nopcommercenopcommerce0, 4.80.3

Timeline

  • Oct 13, 2025 CVE ID Reserved
  • Dec 1, 2025 CVE Published
  • Dec 1, 2025 PoC Published
  • Dec 1, 2025 CVE Updated
  • Dec 2, 2025 EPSS Score
  • Dec 2, 2025 PoC Published
  • Dec 6, 2025 EPSS Score
  • Dec 11, 2025 EPSS Score
  • Dec 15, 2025 EPSS Score
  • Dec 20, 2025 EPSS Score
  • Dec 24, 2025 EPSS Score
  • Dec 29, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›