CVE-2025-15110

Name of the Vulnerable Software and Affected Versions jackq XCMS versions prior to 3fab5342cc509945a7ce1b8ec39d19f701b89261

Description A flaw exists in jackq XCMS that allows for unrestricted file upload. The issue is located in the Upload function within the Admin/Home/Controller/ProductImageController.class.php file of the Backend component. Manipulation of the File argument enables remote attackers to upload files without restrictions. The exploit for this issue has been publicly disclosed and is potentially being used in active attacks. Reports indicate offensive activities targeting this vulnerability.

Recommendations Versions prior to 3fab5342cc509945a7ce1b8ec39d19f701b89261 should be updated. As a temporary workaround, consider restricting access to the ProductImageController.class.php file or disabling the Upload function until a suitable update is available.