CVE-2025-14522

MEDIUM

Baowzh Hfly < 2016-05-11 - Improper Access Control

Title source: rule
STIX 2.1

Description

A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Scores

CVSS v3 6.3
EPSS 0.0007
EPSS Percentile 20.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-284 CWE-434
Status published
Products (1)
baowzh/hfly < 2016-05-11
Published Dec 11, 2025
Tracked Since Feb 18, 2026