Foxcms · Foxcms · CVE-2025-10251
Name of the Vulnerable Software and Affected Versions:
FoxCMS versions prior to 1.24
Description:
A SQL injection issue exists in FoxCMS due to the manipulation of the `ids` argument within the `batchCope` function located in the `/app/admin/controller/Images.php` file. This allows for remote exploitation. The exploit is publicly available. The vendor was notified but did not respond.
Recommendations:
As a temporary workaround, consider restricting access to the `/app/admin/controller/Images.php` file to minimize the risk of exploitation.
Avoid using the `ids` parameter in the `batchCope` function until the issue is resolved.