CVE-2025-9400

Name of the Vulnerable Software and Affected Versions: YiFang CMS versions through 2.0.5

Description: A flaw exists in YiFang CMS up to version 2.0.5, specifically within the mergeMultipartUpload function located in the app/utils/base/plugin/P file.php file. Manipulation of the File argument leads to unrestricted file upload. Remote exploitation is possible. The exploit has been published and may be used. The vendor was contacted prior to disclosure but did not respond.

Recommendations: Update YiFang CMS to a version beyond 2.0.5. As a temporary workaround, restrict access to the P file.php file.