Skip to main content
CVE-2025-12347 LOW POC Monitor

MaxSite CMS up to version 109 contains an improper access control vulnerability in the file editor plugin that allows authenticated remote attackers to upload arbitrary files by manipulating the file_path and content parameters in save-file-ajax.php. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected installations unpatched.

PHP Authentication Bypass File Upload Maxsite Cms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-12346 LOW POC Monitor

MaxSite CMS up to version 109 contains an unrestricted file upload vulnerability in the auto_post plugin's upload handler that allows authenticated remote attackers to bypass file upload restrictions by manipulating HTTP headers (X-Requested-FileName and X-Requested-FileUpDir). Public exploit code is available, though EPSS score (0.05%) suggests limited real-world exploitation despite the publicly disclosed proof-of-concept.

PHP Authentication Bypass File Upload Maxsite Cms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-12335 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the supp_name or supp_address parameters in /pages/supplier_update.php. Exploitation requires user interaction (clicking a malicious link) but no authentication. Publicly available exploit code exists; real-world exploitation risk is low (EPSS 0.04%, CVSS 2.1) due to limited scope and required user interaction, but the vulnerability is disclosed and weaponizable.

PHP XSS E Commerce Website
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-12332 LOW POC Monitor

Stored cross-site scripting (XSS) vulnerability in SourceCodester Student Grades Management System 1.0 allows authenticated administrators with high privileges to inject malicious scripts via the delete_user function in /admin.php, which execute in the context of other users' browsers when they interact with affected content. The vulnerability requires user interaction and administrative privileges to exploit, resulting in low integrity impact with a CVSS score of 1.9. Publicly available exploit code exists, though the very low EPSS score (0.05%, 14th percentile) suggests limited real-world exploitation despite POC availability.

PHP XSS Student Grades Management System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12344 LOW Monitor

Yonyou U8 Cloud versions up to 5.1sp allow authenticated remote attackers to bypass file upload restrictions via manipulation of the ts and sign parameters in the /service/NCloudGatewayServlet endpoint, enabling unrestricted file uploads. The vulnerability affects the Request Header Handler component and has been publicly disclosed with exploit code available, though the vendor has not responded to early notification.

Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy