CVE-2025-8120

Name of the Vulnerable Software and Affected Versions PAD CMS (affected versions not specified)

Description The software’s upload photo functionality has a flaw due to a client-controlled permission check parameter. This allows a remote, unauthenticated attacker to upload files of any type and extension without restrictions. Successful exploitation can lead to Remote Code Execution. The issue affects all three templates: www, bip, and ww+bip. The product is End-Of-Life and the producer will not release patches for this issue.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.