TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2025-69906

HIGH
8.8

Beschreibung

Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution.

CVE Details

CVSS v3.1 Bewertung8.8
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht2/5/2026
Zuletzt geandert2/11/2026
Quellenvd
Honeypot-Sichtungen0

Betroffene Produkte

monstra:monstra_cms

Schwachen (CWE)

CWE-434

Referenzen

https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE(cve@mitre.org)
https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager(cve@mitre.org)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.