CVE-2025-46612

Name of the Vulnerable Software and Affected Versions Airleader Master and Easy versions prior to 6.36

Description The issue allows remote attackers to execute arbitrary commands via an unrestricted file upload in the Panel Designer dashboard. This can be exploited by logging into the administrator console, which has weak and easily guessable default credentials, and then uploading a JSP file via the dashboard. The wizard/workspace.jsp endpoint is specifically vulnerable to this type of attack, allowing the upload of malicious files.

Recommendations For versions prior to 6.36, update to version 6.36 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrator console and changing the default credentials to stronger, unique passwords. Additionally, restrict the ability to upload files via the Panel Designer dashboard to minimize the risk of exploitation.