Skip to main content

PHP EUVD-2025-19905

| CVE-2025-34086 HIGH
Code Injection (CWE-94)
2025-07-03 disclosure@vulncheck.com GHSA-p9qc-8jjx-g8cg
PHP RCE Code Injection Bolt
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 02:12 euvd
EUVD-2025-19905
Analysis Generated
Mar 16, 2026 - 02:12 vuln.today
PoC Detected
Sep 16, 2025 - 19:51 vuln.today
Public exploit code
CVE Published
Jul 03, 2025 - 20:15 nvd
HIGH 8.8

DescriptionCVE.org

Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file.

NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021.

AnalysisAI

Pandora FMS monitoring platform version 7.0NG and earlier contains an authenticated command injection in the net_tools.php functionality. The select_ips parameter is passed to OS commands without sanitization when performing ping operations, allowing authenticated users to execute arbitrary commands on the monitoring server.

Technical ContextAI

The net_tools.php page provides network diagnostic tools (ping, traceroute). The select_ips parameter is incorporated into shell commands without sanitization. Any authenticated Pandora FMS user can inject commands that execute with the web server's privileges on the monitoring server.

RemediationAI

Update Pandora FMS to a current version. Restrict net_tools functionality to administrators. Sanitize all inputs to shell commands using parameterized execution. Segment monitoring infrastructure from production networks.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2025-19905 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy