CVE-2025-5327

Name of the Vulnerable Software and Affected Versions chshcms mccms version 2.7

Description A critical issue affects the function index of the file sys/apps/controllers/api/Gf.php. The manipulation of the argument pic leads to server-side request forgery. It is possible to initiate the attack remotely. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For version 2.7, as a temporary workaround, consider disabling the index function in the Gf.php file until a patch is available. Restrict access to the sys/apps/controllers/api/Gf.php file to minimize the risk of exploitation. Avoid using the argument pic in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.