CVE-2024-42599

HIGH

SeaCMS 13.0 - Authenticated Remote Code Execution via admin_files.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-42599. PoCs published by fushuling.

AI-analyzed exploit summary This document provides a technical analysis of CVE-2024-42599, detailing how SeaCMS 13.0's admin_files.php allows authenticated attackers to bypass file extension restrictions and inject malicious code into template files, leading to remote code execution.

Description

SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_files.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges.

Exploits (1)

gitee WRITEUP 1 stars
by fushuling · poc
https://gitee.com/fushuling/cve/blob/master/SeaCMS%20V13%20admin_files.php%20code%20injection.md

This document provides a technical analysis of CVE-2024-42599, detailing how SeaCMS 13.0's admin_files.php allows authenticated attackers to bypass file extension restrictions and inject malicious code into template files, leading to remote code execution.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SeaCMS 13.0
Auth required
Prerequisites: Authenticated access to admin_files.php · Ability to traverse directories using path manipulation
devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0040
EPSS Percentile 61.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
seacms/seacms 13.0
Published Aug 22, 2024
Tracked Since Feb 18, 2026