PatchSiren cyber security CVE debrief
CVE-2025-9062 MeCODE Informatics and Engineering Services Ltd. CVE debrief
CVE-2025-9062 is an Authorization Bypass Through User-Controlled Key vulnerability in Envanty, a product of MeCODE Informatics and Engineering Services Ltd. The vulnerability allows for Parameter Injection and affects Envanty versions before 1.0.6. The CVSS score for this vulnerability is 7.3, indicating a HIGH severity. The vulnerability was publicly disclosed on [cvePublishedAt]2026-02-19T11:15:57.120Z[/cvePublishedAt] and last modified on [cveModifiedAt]2026-06-05T12:16:34.930Z[/cveModifiedAt].
- Vendor
- MeCODE Informatics and Engineering Services Ltd.
- Product
- Envanty
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-19
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-02-19
- Advisory updated
- 2026-06-05
Who should care
Users of Envanty versions before 1.0.6 should apply the necessary patches to prevent exploitation of this vulnerability.
Technical summary
The vulnerability is caused by an Authorization Bypass Through User-Controlled Key issue in Envanty, which allows for Parameter Injection. This can be exploited by an attacker to bypass authorization and potentially gain unauthorized access to sensitive data.
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch for Envanty version 1.0.6 or later.
- Review and update access controls to prevent unauthorized access.
Evidence notes
The vendor, MeCODE Informatics and Engineering Services Ltd., was contacted early about this disclosure but did not respond. The vulnerability was learned to be remediated through reporter information and testing.
Official resources
CVE-2025-9062 was publicly disclosed on 2026-02-19T11:15:57.120Z.