baowzh hfly CVE-2025-14522

Q: What is the CVSS score of CVE-2025-14522?

CVE-2025-14522 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Access Control (CWE-284)

2025-12-11 cna@vuldb.com

PHP Authentication Bypass File Upload Hfly

2.1

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:37 vuln.today

DescriptionNVD

A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unrestricted file upload in baowzh hfly allows authenticated remote attackers to upload arbitrary files via manipulation of the imgFile parameter in /Public/Kindeditor/php/upload_json.php. The vulnerability affects rolling-release versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c, carries low overall risk (CVSS 2.1, EPSS 0.07%), and has publicly available exploit code but requires authenticated access, significantly limiting real-world exploitability compared to unauthenticated file upload scenarios.

Technical ContextAI

The vulnerability exists in a PHP-based file upload handler within the Kindeditor component of baowzh hfly, a PHP-based travel website CMS. The upload_json.php script fails to properly validate or restrict the imgFile parameter, resulting in unrestricted file upload capability classified under CWE-284 (Improper Access Control). The Kindeditor library is a web-based WYSIWYG editor commonly integrated into CMS platforms, and the upload functionality is typically exposed to handle image submissions. The vulnerability requires authenticated access (PR:L per CVSS 4.0 vector), meaning only users with valid credentials can exploit this flaw.

RemediationAI

Because baowzh hfly uses continuous rolling releases and the vendor did not respond to early disclosure attempts, no official vendor-released patch is available at time of analysis. The recommended remediation is to update to the latest commit of baowzh hfly beyond 638ff9abe9078bc977c132b37acbe1900b63491c from the upstream repository. As an interim compensating control, disable or restrict access to the /Public/Kindeditor/php/upload_json.php endpoint via web server configuration (e.g., nginx/Apache deny rules) or WAF rules that block requests to this path, accepting the trade-off that image upload functionality will be unavailable until a patched version is deployed. Additionally, implement strict file type validation and storage outside the web root for any uploaded files to prevent arbitrary code execution if an attacker successfully uploads a malicious file.

CVE-2025-14522 vulnerability details – vuln.today

Back