CVE-2025-14085

MEDIUM
Published Dec 5, 2025 Modified Apr 29, 2026 CWE-913 CWE-914

Description

A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3.1 Score

6.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Weakness Type (CWE)

CWE-913 CWE-913
CWE-914 CWE-914

Affected Products

Vendor Product
youlai youlai-mall
youlai youlai-mall

References

Frequently Asked Questions

What is CVE-2025-14085? +
A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. It has a CVSS v3.1 base score of 6.3 (MEDIUM).
How severe is CVE-2025-14085? +
CVE-2025-14085 has a CVSS v3.1 score of 6.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.
What products are affected by CVE-2025-14085? +
CVE-2025-14085 affects products from youlai, specifically: youlai-mall. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-14085? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-48700

An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as …
CVE-2025-13426

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a …
CVE-2025-68613 9.9

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain …
CVE-2024-5452 9.8

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user …
CVE-2025-25270 9.8

An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with …
CVE-2024-8953 9.8

In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-14085 — free, no signup required.

Start Free Scan