CVE-2025-29930

Name of the Vulnerable Software and Affected Versions imFAQ versions prior to 1.0.1

Description The issue allows an attacker to read sensitive files on the server through Local File Inclusion (LFI) by manipulating the seoOp parameter in the $ GET request. The seoOp and seoArg parameters are used directly without sanitization or validation. However, the risk is partly mitigated because ImpressCMS stores sensitive files outside the web root in a folder with a randomized name.

Recommendations For versions prior to 1.0.1, update to version 1.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the seoOp and seoArg parameters to minimize the risk of exploitation.