cvedb.io
CVE-2025-66910
MEDIUM · CVSS 6
EPSS exploitation probability: 0%
Published 2025-12-19T15:15:56.790 · Last modified 2026-06-17T09:57:19.117

Summary

Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection.

Affected products

turms-im — turms

Does this affect you?

Add your gear to cvedb and we'll alert you only when turms-im ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.