Skip to main content

Twill Cms

1 CVEs product

Monthly

CVE-2026-15518 LOW POC Monitor

Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.

PHP File Upload Twill Cms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.

PHP File Upload Twill Cms
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy