CVE-2025-10353

CRITICAL EXPLOITED NUCLEI

Melis Platform < 5.3.1 - Remote Code Execution via File Upload in melis-cms-slider Module

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-10353 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including ivansmc, tempiltin. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-10353, a file upload vulnerability in the `melis-cms-slider` module of Melis Platform that can lead to remote code execution (RCE). The writeup includes specific details about the vulnerable endpoint, parameters, and exploitation steps, but does not include functional exploit code.

Description

File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.

Exploits (3)

github WRITEUP 1 stars
by ivansmc · poc
https://github.com/ivansmc/CVE-2025-10353-POC

This repository provides a detailed technical analysis of CVE-2025-10353, a file upload vulnerability in the `melis-cms-slider` module of Melis Platform that can lead to remote code execution (RCE). The writeup includes specific details about the vulnerable endpoint, parameters, and exploitation steps, but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Melis Platform (melis-cms-slider module)
No auth needed
Prerequisites: Access to the vulnerable endpoint · Ability to send crafted HTTP requests · Explicit authorization to test the target system
devstral-2 · analyzed May 01, 2026 Full analysis →
nomisec STUB
by tempiltin · poc
https://github.com/tempiltin/CVE-2025-10353-POC

The repository contains only a README.md file with minimal content, providing no exploit code, technical details, or functional proof-of-concept. It is a placeholder with no substantive information about CVE-2025-10353.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 23, 2026 Full analysis →
vulncheck_xdb WRITEUP
remote
https://github.com/ivansmc00/CVE-2025-10353

This repository provides a detailed technical writeup for CVE-2025-10353, a file upload vulnerability in the `melis-cms-slider` module of Melis Platform that can lead to remote code execution (RCE). The README includes specific details about the vulnerable endpoint, parameters, and exploitation steps, but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Melis Platform (melis-cms-slider module)
No auth needed
Prerequisites: Access to the vulnerable endpoint · Ability to send crafted HTTP requests
devstral-2 · analyzed Mar 11, 2026 Full analysis →

Nuclei Templates (1)

Melis Technology Melis Platform - Unrestricted File Upload & Remote Code Execution
CRITICALVERIFIEDby ohmygod20260203
Shodan: http.html:"/melis/MelisCms"
FOFA: body="/melis/MelisCms" || body="MelisDemoCms"

References (2)

Core 2

Scores

CVSS v4 9.3
EPSS 0.0128
EPSS Percentile 80.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2026-03-10
CWE
CWE-43
Status published
Products (2)
Melis Technology/Melis Platform < 5.3.1
melisplatform/melis-cms-slider 0 - 5.3.1Packagist
Published Oct 08, 2025
Tracked Since Feb 18, 2026