LeptonCMS
CVE-2025-56704
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable upload endpoint (AV:N, AC:L) requires an authenticated low-privilege account (PR:L), no user interaction, and yields full webshell RCE compromising C/I/A within the same host scope.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.
AnalysisAI
Arbitrary code execution in LeptonCMS 7.3.0 lets an authenticated attacker upload a crafted ZIP or PHP file that bypasses the application's missing file-type validation and runs as server-side PHP. Publicly available exploit code (three PoC write-ups) exists, though the flaw is not listed in CISA KEV and EPSS is low (0.66%, 47th percentile), indicating no evidence of widespread active exploitation yet. Exploitation requires a valid low-privilege account (PR:L), placing this in the post-authentication RCE category.
Technical ContextAI
LeptonCMS is a PHP-based content management system; the affected build is pinpointed by CPE cpe:2.3:a:lepton-cms:leptoncms:7.3.0. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): the upload handler does not enforce an allow-list on file extension or content, so a PHP script - or a PHP payload packed inside a ZIP archive that the application extracts into a web-accessible directory - is stored where the PHP interpreter will execute it. Because CMS upload/media and add-on/module import features routinely accept ZIP archives, the ability to smuggle executable PHP through the archive path is the pivotal weakness that turns an ordinary file upload into remote code execution.
RemediationAI
No vendor-released patch or fixed version is identified in the available data, so no exact upgrade target can be cited. As specific compensating controls: restrict who holds LeptonCMS accounts and disable self-registration so the required PR:L foothold cannot be obtained by anonymous users; remove or restrict access to the media/add-on upload and ZIP-import features for all but trusted administrators (trade-off: blocks legitimate module and media management); enforce an extension and MIME allow-list at a reverse proxy or WAF and reject .php/.phtml/.php5 and archive contents (trade-off: may block legitimate archive uploads); and configure the web server to deny PHP execution in upload/media directories via server config, e.g. disabling the PHP handler for those paths (trade-off: breaks any feature that legitimately serves generated PHP from those directories). Consult the vendor (LeptonCMS project) for an official fix before restoring full upload functionality. The only external references currently available are the PoC documents at https://github.com/Kayi626/Vulns.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today