Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was found in GreenCMS up to 2.3. Affected is the function themeadd of the file /index.php?m=admin&c=custom&a=themeadd. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Unrestricted file upload in GreenCMS up to version 2.3 allows authenticated remote attackers to upload arbitrary files via the themeadd function in the custom admin module, potentially enabling remote code execution or content manipulation. Publicly available exploit code exists and the vulnerability affects only end-of-life versions of the product.
Technical ContextAI
GreenCMS is a PHP-based content management system. The vulnerability exists in the administrative file upload handler at /index.php?m=admin&c=custom&a=themeadd, which processes theme uploads without proper file type or content validation. This is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability where an authenticated user can bypass file extension checks or MIME type validation to upload executable code (typically PHP webshells) disguised as theme files. The vulnerability affects the custom theme management functionality in the admin panel.
RemediationAI
The primary remediation is to discontinue use of GreenCMS 2.3 and earlier versions and migrate to a modern, actively maintained content management system such as WordPress, Drupal, or Joomla. For organizations unable to immediately migrate, implement compensating controls: (1) Restrict administrative access to known IP ranges using web server configuration (e.g., .htaccess for Apache or nginx access_log rules), (2) Disable the custom theme upload feature entirely by removing or commenting out the themeadd function in /index.php or by restricting access to the /index.php?m=admin&c=custom route at the web server level, (3) Implement file type whitelisting at the web server level to block execution of uploaded files (set Execute-off for the upload directory in .htaccess or use nginx location blocks to deny PHP execution in upload paths), and (4) Monitor the upload directory for suspicious files and implement intrusion detection rules for known exploit patterns. Note that these controls do not eliminate the vulnerability itself and should be considered temporary bridges during migration planning. No vendor patch is available due to EOL status.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25721