CVE-2023-53914

CRITICAL

UliCMS 2023.1 - Unauthenticated Authentication Bypass via Mass Assignment in UserController

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53914. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary This Python script exploits a mass assignment vulnerability in Ulicms 2023.1 to create an admin user by sending a crafted POST request with user details and admin privileges.

Description

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access.

Exploits (1)

exploitdb WORKING POC
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51486

This Python script exploits a mass assignment vulnerability in Ulicms 2023.1 to create an admin user by sending a crafted POST request with user details and admin privileges.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Ulicms 2023.1-sniffing-vicuna
No auth needed
Prerequisites: Network access to the target application · Ulicms 2023.1-sniffing-vicuna installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0060
EPSS Percentile 43.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-639
Status published
Products (2)
ulicms/ulicms 2023.1
ulicms/Ulicms 2023.1
Published Dec 17, 2025
Tracked Since Feb 18, 2026