What is the CVSS score of CVE-2025-61506?

CVE-2025-61506 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Mediacrush are affected by CVE-2025-61506?

MediaCrush instances are vulnerable to unrestricted file uploads that could allow attackers to exhaust storage, deploy malware, or compromise system availability without authentication.

Is there a public PoC exploit available for CVE-2025-61506?

Yes, a public proof-of-concept exploit is available for CVE-2025-61506. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-61506?

Within 24 hours: Identify all MediaCrush deployments and take the /upload endpoint offline or restrict access to trusted networks only. Within 7 days: Implement WAF rules to block POST requests to /upload or deploy network segmentation to limit access. Within 30 days: Evaluate alternative solutions or migrate to patched versions when available; conduct forensic review of upload logs for malicious activity.

Mediacrush CVE-2025-61506

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-02-03 cve@mitre.org

File Upload Mediacrush

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 11, 2026 - 19:26 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 18:16 nvd

CRITICAL 9.8

DescriptionNVD

An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint.

AnalysisAI

MediaCrush through version 1.0.1 allows unauthenticated arbitrary file upload without file type restrictions, enabling web shell deployment and remote code execution.

Technical ContextAI

MediaCrush <= 1.0.1 has a CWE-434 unrestricted file upload that accepts any file type without authentication, allowing direct upload and execution of web shells.

RemediationAI

Do not expose MediaCrush to the internet. Implement authentication and file type validation.

CVE-2025-61506 vulnerability details – vuln.today

Back

Mediacrush CVE-2025-61506

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code