TROYANOSYVIRUS
Retour aux CVEs

CVE-2025-69906

HIGH
8.8

Description

Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution.

Details CVE

Score CVSS v3.18.8
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie2/5/2026
Derniere modification2/11/2026
Sourcenvd
Observations honeypot0

Produits affectes

monstra:monstra_cms

Faiblesses (CWE)

CWE-434

References

https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE(cve@mitre.org)
https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager(cve@mitre.org)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.