CVE-2025-55741: 
PHP vulnerability analysis and mitigation

UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, was found to contain a broken access control vulnerability (CVE-2025-55741) disclosed on August 22, 2025. In versions 0.3.0 and earlier, users without the Delete privilege for products could bypass access controls by using the mass-delete endpoint to delete products without proper authorization, even though they were correctly blocked from using the standard deletion endpoint (GitHub Advisory).

The vulnerability stems from improper access control implementation where authorization checks were not consistently applied across different endpoints. While the standard product deletion endpoint (DELETE /admin/catalog/products/{id}) correctly enforces access control by returning a 401 status with "This action is unauthorized" for users lacking the Delete privilege, the mass deletion endpoint (POST /admin/catalog/products/mass-delete) failed to implement these checks. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on integrity and availability (GitHub Advisory).

The vulnerability allows unauthorized users to perform product deletions, potentially leading to significant data loss and business disruption. Users who should not have deletion privileges can exploit this flaw to remove products from the system, bypassing intended access controls (GitHub Advisory).

The vulnerability has been fixed in version 0.3.1 with the implementation of proper access control checks for mass actions. No known workarounds exist for affected versions; upgrading to version 0.3.1 or later is strongly recommended (GitHub Advisory, GitHub Patch).