Skip to main content

LeptonCMS CVE-2025-56704

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-12-09 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable upload endpoint (AV:N, AC:L) requires an authenticated low-privilege account (PR:L), no user interaction, and yields full webshell RCE compromising C/I/A within the same host scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:16 vuln.today

DescriptionNVD

LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.

AnalysisAI

Arbitrary code execution in LeptonCMS 7.3.0 lets an authenticated attacker upload a crafted ZIP or PHP file that bypasses the application's missing file-type validation and runs as server-side PHP. Publicly available exploit code (three PoC write-ups) exists, though the flaw is not listed in CISA KEV and EPSS is low (0.66%, 47th percentile), indicating no evidence of widespread active exploitation yet. Exploitation requires a valid low-privilege account (PR:L), placing this in the post-authentication RCE category.

Technical ContextAI

LeptonCMS is a PHP-based content management system; the affected build is pinpointed by CPE cpe:2.3:a:lepton-cms:leptoncms:7.3.0. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): the upload handler does not enforce an allow-list on file extension or content, so a PHP script - or a PHP payload packed inside a ZIP archive that the application extracts into a web-accessible directory - is stored where the PHP interpreter will execute it. Because CMS upload/media and add-on/module import features routinely accept ZIP archives, the ability to smuggle executable PHP through the archive path is the pivotal weakness that turns an ordinary file upload into remote code execution.

RemediationAI

No vendor-released patch or fixed version is identified in the available data, so no exact upgrade target can be cited. As specific compensating controls: restrict who holds LeptonCMS accounts and disable self-registration so the required PR:L foothold cannot be obtained by anonymous users; remove or restrict access to the media/add-on upload and ZIP-import features for all but trusted administrators (trade-off: blocks legitimate module and media management); enforce an extension and MIME allow-list at a reverse proxy or WAF and reject .php/.phtml/.php5 and archive contents (trade-off: may block legitimate archive uploads); and configure the web server to deny PHP execution in upload/media directories via server config, e.g. disabling the PHP handler for those paths (trade-off: breaks any feature that legitimately serves generated PHP from those directories). Consult the vendor (LeptonCMS project) for an official fix before restoring full upload functionality. The only external references currently available are the PoC documents at https://github.com/Kayi626/Vulns.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-56704 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy