PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-67031 ORSEE CVE debrief

CVE-2025-67031 describes an authenticated remote code execution weakness in ORSEE 3.1.0. The issue is tied to participant profile field processing where certain configurations accept values beginning with the prefix "func:" and pass them into eval() within tagsets/participant.php and tagsets/options.php. The NVD record classifies the weakness as CWE-94 and assigns a CVSS v3.1 score of 6.3 (MEDIUM) with network attack, low complexity, and required privileges.

Vendor
ORSEE
Product
ORSEE
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Administrators and maintainers of ORSEE 3.1.0, especially environments where authenticated users can influence participant profile fields or related tagset configuration. Security teams should also review any deployment that exposes ORSEE to untrusted or semi-trusted internal users.

Technical summary

The vulnerability is an authenticated code-execution path in ORSEE 3.1.0's participant profile field processing subsystem. According to the CVE description, configurations that accept values prefixed with "func:" route those values directly into eval() in tagsets/participant.php and tagsets/options.php. That pattern matches a code injection condition and is mapped in the NVD record to CWE-94. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, indicating remote reachability, low attack complexity, required privileges, and potential impact to confidentiality, integrity, and availability.

Defensive priority

Medium-high. The CVSS score is MEDIUM, but the presence of eval()-backed authenticated RCE logic makes this worth fast-tracking in any exposed ORSEE 3.1.0 deployment. Prioritize patching or removing the vulnerable functionality before broadening access to the affected fields.

Recommended defensive actions

  • Upgrade or replace ORSEE 3.1.0 with a version that removes the eval()-based handling described in the CVE.
  • Audit tagsets/participant.php and tagsets/options.php for any remaining eval() or dynamic execution paths tied to "func:" values.
  • Restrict access to participant profile field configuration and any related administrative interfaces to the smallest possible set of trusted accounts.
  • Review logs for unusual edits to participant profile fields or tagset options that begin with "func:".
  • If immediate remediation is not possible, disable or isolate the affected profile-field configuration paths to prevent untrusted input from reaching eval().

Evidence notes

This debrief is based on the supplied CVE description, the NVD record metadata, and the listed reference links. The NVD record shows CVE-2025-67031 as Deferred, with CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L and weakness CWE-94. The record also lists references to the ORSEE 3.1.0 archive and a Medium writeup titled for this CVE.

Official resources

Published by the CVE/NVD record on 2026-05-15T20:16:45.120Z and last modified on 2026-05-18T20:17:10.873Z. NVD currently shows the vulnerability status as Deferred. This summary uses the CVE publication date provided, not the generation or审