CVE-2025-12346

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions MaxSite CMS versions prior to 110

Description A flaw exists in MaxSite CMS that allows for unrestricted file uploads. This issue is related to the manipulation of the X-Requested-FileName and X-Requested-FileUpDir arguments within the HTTP Header Handler, specifically in the file application/maxsite/admin/plugins/auto post/uploads-require-maxsite.php. Remote exploitation is possible. The exploit is publicly available.

Recommendations Update MaxSite CMS to version 110 or later.

Exploit

Fix

Improper Access Control

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-434

Related Identifiers

CVE-2025-12346

Affected Products

Cms

Maxsite Cms

CVE-2025-12346

Weakness Enumeration

Related Identifiers

Affected Products

References · 9