Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OrientDB Community Edition allows malicious requests to perform unauthorized actions
CVE-2019-25447
Summary
Attackers can trick users into performing actions they shouldn't by crafting fake requests to certain endpoints. This could let them create or delete databases, change settings, or even add new functions. To fix this, update to a patched version of OrientDB.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| orientdb | orientdb | 3.0.17 | – |
Original title
OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /datab...
Original description
OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface.
nvd CVSS3.1
3.5
nvd CVSS4.0
5.3
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
- https://orientdb.dev/ Product
- https://www.exploit-db.com/exploits/46517 Exploit VDB Entry
- https://www.vulncheck.com/advisories/orientdb-cross-site-request-forgery Third Party Advisory
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026