CVE-2025-60641

Name of the Vulnerable Software and Affected Versions Vfront version 0.99.52

Description The file mexcel.php contains a vulnerable call to unserialize(base64 decode($ POST['mexcel'])). The $ POST['mexcel'] parameter is user-controlled input that is decoded from base64 and deserialized without validation. This allows an attacker to inject arbitrary PHP objects, potentially leading to Remote Code Execution (RCE), SQL Injection, Path Traversal, or Denial of Service, depending on exploitable classes. The vulnerable parameter is mexcel.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the mexcel.php file. Avoid using the mexcel parameter in POST requests to the affected file.