CVE-2025-52353 – badaso/core

Package

Manager: composer
Name: badaso/core
Vulnerable Version: >=0 <=2.9.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS: 0.00092 pctl0.26814

Details

Badaso CMS file upload vulnerability An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

Metadata

Created: 2025-08-26T21:31:07Z
Modified: 2025-08-26T22:34:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp9-jh35-439m/GHSA-gqp9-jh35-439m.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-gqp9-jh35-439m
Finding: F027
Auto approve: 1