Is there a public PoC exploit available for CVE-2025-15110?

Yes, a public proof-of-concept exploit is available for CVE-2025-15110. Prioritise patching immediately. EPSS: 0.0%.

jackq XCMS CVE-2025-15110

Q: What is the CVSS score of CVE-2025-15110?

CVE-2025-15110 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Access Control (CWE-284)

2025-12-27 cna@vuldb.com

PHP Authentication Bypass File Upload Xcms

2.0

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:44 vuln.today

DescriptionNVD

A vulnerability has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. Affected is the function Upload of the file Admin/Home/Controller/ProductImageController.class.php of the component Backend. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Unrestricted file upload in jackq XCMS allows high-privilege authenticated users to upload arbitrary files via the ProductImageController component, with publicly available exploit code disclosed. Despite a CVSS score of 2.0 reflecting the high authentication requirement (PR:H), the vulnerability enables authenticated administrators to bypass intended upload restrictions and potentially achieve remote code execution by uploading malicious files. The vendor has been informed via public issue report but has not yet responded with a fix.

Technical ContextAI

The vulnerability exists in the Upload function of Admin/Home/Controller/ProductImageController.class.php, a backend file upload handler in the jackq XCMS PHP application. CWE-284 (Improper Access Control) indicates that the upload mechanism fails to properly validate or restrict the File parameter, allowing authenticated users to circumvent file type, extension, or content validation controls. The attack leverages the backend admin interface, which typically runs with elevated privileges and file system write access, making successful exploitation capable of writing executable code to the web root.

RemediationAI

No vendor-released patch identified at time of analysis; the project maintainer has not responded to the public issue report. Immediate mitigations for affected deployments include: (1) Restrict backend admin interface access via network-level controls (e.g., VPN, IP allowlisting) to prevent unauthorized access to the upload functionality; (2) Implement file upload validation at the web server level (e.g., disable script execution in upload directories via .htaccess or nginx configuration: 'location /uploads { deny all; }'); (3) Enforce strict file type validation on uploaded files and store uploads outside the web root to prevent direct execution; (4) Monitor admin user activity and login attempts, as exploitation requires administrative privileges; (5) Consider migrating to an alternative, actively maintained CMS product if security updates are critical for your deployment. If the vendor releases patches via Gitee, monitor the repository for commit updates and redeploy immediately.

CVE-2025-15110 vulnerability details – vuln.today

Back