CVE-2025-67886

Name: CVE-2025-67886
Creator: NVD / NIST
Published: 2026-05-08T07:16:28.18+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.3/10EPSS 1.03%

Last modified Jun 17, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

Metrics

CVSS 3.1

6.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Probability

1.03%

59.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-434

References

https://dev.1c-bitrix.ru/api_help/translate/index.php
https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055
https://karmainsecurity.com/pocs/CVE-2025-67886.php
https://seclists.org/fulldisclosure/2025/Dec/21
https://www.bitrix24.com/self-hosted/
http://seclists.org/fulldisclosure/2025/Dec/21
https://seclists.org/fulldisclosure/2025/Dec/21

Timeline

Published: May 8, 2026
Last Modified: Jun 17, 2026
Status: Awaiting Analysis

Are you affected by CVE-2025-67886?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST