CVE-2025-11136
Last modified
CVE-2025-11136 is a low-severity vulnerability rated 2/10 on the CVSS scale. A flaw has been found in YiFang CMS up to 2.0.2. The impacted element is the function webUploader of the file app/app/controller/File.php of the component Backend. EPSS estimates a 0.37% chance of exploitation in the next 30 days.
Description
A flaw has been found in YiFang CMS up to 2.0.2. The impacted element is the function webUploader of the file app/app/controller/File.php of the component Backend. Executing manipulation of the argument uploadpath can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wanglongcn | Yifang | <= 2.0.2 |
References
- https://github.com/electroN1chahaha/YifangCMS-V2.0.0-Remote-Code-Execution-RCE-/issues/1Exploit, Issue Tracking
- https://vuldb.com/?ctiid.326213Permissions Required, VDB Entry
- https://vuldb.com/?id.326213Third Party Advisory, VDB Entry
- https://vuldb.com/?submit.657903Third Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-11136?
How severe is CVE-2025-11136?
How do I fix CVE-2025-11136?
Are you affected by CVE-2025-11136?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST