What is the CVSS score of CVE-2025-34086?

CVE-2025-34086 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 50.8%.

Which versions of PHP are affected by CVE-2025-34086?

CVE-2025-34086 presents significant security risk, a code injection vulnerability rated CVSS 8.8.

Is there a public PoC exploit available for CVE-2025-34086?

Yes, a public proof-of-concept exploit is available for CVE-2025-34086. Prioritise patching immediately. EPSS: 50.8%.

How to fix or mitigate CVE-2025-34086?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

PHP CVE-2025-34086

EUVD-2025-19905 HIGH

Code Injection (CWE-94)

2025-07-03 disclosure@vulncheck.com

GHSA-p9qc-8jjx-g8cg

PHP RCE Code Injection Bolt

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 02:12 euvd

EUVD-2025-19905

Analysis Generated

Mar 16, 2026 - 02:12 vuln.today

PoC Detected

Sep 16, 2025 - 19:51 vuln.today

Public exploit code

CVE Published

Jul 03, 2025 - 20:15 nvd

HIGH 8.8

DescriptionNVD

Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file.

NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.

AnalysisAI

Pandora FMS monitoring platform version 7.0NG and earlier contains an authenticated command injection in the net_tools.php functionality. The select_ips parameter is passed to OS commands without sanitization when performing ping operations, allowing authenticated users to execute arbitrary commands on the monitoring server.

Technical ContextAI

The net_tools.php page provides network diagnostic tools (ping, traceroute). The select_ips parameter is incorporated into shell commands without sanitization. Any authenticated Pandora FMS user can inject commands that execute with the web server's privileges on the monitoring server.

RemediationAI

Update Pandora FMS to a current version. Restrict net_tools functionality to administrators. Sanitize all inputs to shell commands using parameterized execution. Segment monitoring infrastructure from production networks.

CVE-2025-34086 vulnerability details – vuln.today

Back

PHP CVE-2025-34086

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code