What is the CVSS score of CVE-2025-29306?

CVE-2025-29306 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 84.4%.

Which versions of Foxcms are affected by CVE-2025-29306?

CVE-2025-29306 presents critical security risk, a code injection vulnerability rated CVSS 9.8.

Is there a public PoC exploit available for CVE-2025-29306?

Yes, a public proof-of-concept exploit is available for CVE-2025-29306. Prioritise patching immediately. EPSS: 84.4%.

How to fix or mitigate CVE-2025-29306?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Foxcms CVE-2025-29306

CRITICAL

Code Injection (CWE-94)

2025-03-27 cve@mitre.org

RCE Code Injection Foxcms

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:33 vuln.today

PoC Detected

Jun 09, 2025 - 18:02 vuln.today

Public exploit code

CVE Published

Mar 27, 2025 - 19:15 nvd

CRITICAL 9.8

DescriptionNVD

An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.

AnalysisAI

FoxCMS version 1.2.5 contains an unauthenticated remote code execution vulnerability in the case display page of the index.html component. Attackers can inject and execute arbitrary PHP code on the server through crafted requests to the case display functionality.

Technical ContextAI

The case display functionality in FoxCMS processes user input through a template engine that fails to sanitize PHP code injection attempts. By submitting crafted content to the case display page, an attacker can inject PHP code that is evaluated server-side during template rendering. No authentication is required to access the vulnerable endpoint.

RemediationAI

Update FoxCMS to the latest version. Implement WAF rules blocking PHP code patterns in request parameters. Sanitize all template engine inputs to prevent code injection. Consider migrating to a more actively maintained CMS platform.

CVE-2025-29306 vulnerability details – vuln.today

Back

Foxcms CVE-2025-29306

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code