GCVE-VVD-NCSC-2025-301 — Vulnetix

GCVE-VVD-NCSC-2025-301

Advisory PublishedCVSS 8.5/10

Vulnetix · Advisory published September 30, 2025

VMware vCenter has an SMTP header injection vulnerability that allows non-administrative users with scheduled task permissions to manipulate notification emails.

Download JSON Open in Console

Weaknesses (CWE)

CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')CWE-640Weak Password Recovery Mechanism for Forgotten PasswordCWE-203Observable Discrepancy

Risk Scores

CVSS 3.1

8.5/10

High · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Affected Products

Vendor	Product	Versions	Platforms
VMware	vers:unknown/*	—	—

Aliases

CVE-2025-41252 CVE-2025-41251 CVE-2025-41250

Transitive aliases

VVD-CISA-2025-41251 BDU:2025-12559 GHSA-5vpj-22hp-chfg CNVD-2025-23111 EUVD-2025-31600 GHSA-2gr4-4mrg-85rh VVD-CISA-2025-41252 VVD-CISA-2025-41250 BDU:2025-12558 CNVD-2025-23110 EUVD-2025-31592 CNVD-2025-23109 BDU:2025-12560 GHSA-5qfp-g44c-j8xm EUVD-2025-31599

References

advisory

advisory

advisory

advisory

advisory

Browse GCVE Records

100 records in the GCVE database · Updated April 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

Open in Console Download JSON

$ Console Community · 100/wk Open console ›