CVE-2025-70841 | Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 all… | CVSS 10.0 CRITICAL

Description

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system.

Metadata

CVE ID: CVE-2025-70841
State: PUBLISHED
Assigner: mitre
Reserved: 2026-01-09 00:00 UTC
Published: 2026-02-03 00:00 UTC
Last updated: 2026-02-04 19:09 UTC
Primary CWE: CWE-287
CWE-287 Improper Authentication
Vendor / Product: n/a / n/a
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:N/S:C/UI:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
n/a	n/a	—	n/a

Weakness (CWE)

CWE	Source	Description
—	cna	n/a
CWE-287	adp	CWE-287 Improper Authentication

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:N/S:C/UI:N

References (2)