CVE-2023-53924
HIGHUliCMS 2023.1-sniffing-vicuna - RCE
Title source: llmDescription
UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.
Exploits (1)
exploitdb
WORKING POC
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51434
Scores
CVSS v3
8.8
EPSS
0.0046
EPSS Percentile
64.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (2)
ulicms/ulicms
2023.1
Ulicms/Ulicms
2023.1
Published
Dec 17, 2025
Tracked Since
Feb 18, 2026