Skip to main content

Foxcms CVE-2025-29306

CRITICAL
Code Injection (CWE-94)
2025-03-27 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
PoC Detected
Jun 09, 2025 - 18:02 vuln.today
Public exploit code
CVE Published
Mar 27, 2025 - 19:15 nvd
CRITICAL 9.8

DescriptionCVE.org

An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.

AnalysisAI

FoxCMS version 1.2.5 contains an unauthenticated remote code execution vulnerability in the case display page of the index.html component. Attackers can inject and execute arbitrary PHP code on the server through crafted requests to the case display functionality.

Technical ContextAI

The case display functionality in FoxCMS processes user input through a template engine that fails to sanitize PHP code injection attempts. By submitting crafted content to the case display page, an attacker can inject PHP code that is evaluated server-side during template rendering. No authentication is required to access the vulnerable endpoint.

RemediationAI

Update FoxCMS to the latest version. Implement WAF rules blocking PHP code patterns in request parameters. Sanitize all template engine inputs to prevent code injection. Consider migrating to a more actively maintained CMS platform.

More in Foxcms

View all
CVE-2025-25789 CRITICAL POC
9.8 Feb 26

FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controlle

CVE-2025-25790 CRITICAL POC
9.8 Feb 26

An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers

CVE-2025-45238 CRITICAL POC
9.1 May 05

foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method. Rated c

CVE-2025-55409 HIGH POC
8.8 Aug 25

FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. Rated high severity (CVSS 8.8), this

CVE-2025-55422 HIGH POC
8.8 Aug 27

In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus. Rated high severity (

CVE-2025-45240 MEDIUM POC
6.5 May 05

foxcms v1.2.5 was discovered to contain a SQL injection vulnerability via the executeCommand method in DataBackup.php. R

CVE-2025-51650 MEDIUM POC
5.6 Jul 14

An arbitrary file upload vulnerability in the component /controller/PicManager.php of FoxCMS v1.2.6 allows attackers to

CVE-2025-45239 MEDIUM POC
5.3 May 05

An issue in the restores method (DataBackup.php) of foxcms v2.0.6 allows attackers to execute a directory traversal. Rat

CVE-2025-46154 HIGH
8.4 Jun 03

Foxcms v1.25 contains a SQL time-based injection vulnerability in the installdb.php installation script, specifically in

CVE-2025-56630 HIGH
7.3 Sep 08

FoxCMS v1.2.5 and before is vulnerable to SQL Injection via the column_model parameter in the app/admin/controller/Colum

CVE-2025-29181 HIGH
7.2 Apr 17

FOXCMS <= V1.25 is vulnerable to SQL Injection via $param['title'] in /admin/util/Field.php. Rated high severity (CVSS 7

CVE-2025-29180 HIGH
7.2 Apr 17

In FOXCMS <=1.25, the installdb.php file has a time - based blind SQL injection vulnerability. Rated high severity (CVSS

Share

CVE-2025-29306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy