CVE-2012-10050
CRITICALCuteFlow <2.11.2 - RCE
Title source: llmDescription
CuteFlow version 2.11.2 and earlier contains an arbitrary file upload vulnerability in the restart_circulation_values_write.php script. The application fails to validate or restrict uploaded file types, allowing unauthenticated attackers to upload arbitrary PHP files to the upload/___1/ directory. These files are then accessible via the web server, enabling remote code execution.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/20111
metasploit
WORKING POC
EXCELLENT
by bcoles · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cuteflow_upload_exec.rb
References (6)
Scores
CVSS v4
9.3
EPSS
0.6565
EPSS Percentile
98.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (1)
CuteFlow.org/CuteFlow
< 2.11.2
Published
Aug 08, 2025
Tracked Since
Feb 18, 2026