Description
An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://medium.com/@pat.sanitjairak/remote-code-execution-in-a-plain-view-0f86f183543d
Scores
CVSS v3
9.8
EPSS
0.0026
EPSS Percentile
49.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
badaso/core
0Packagist
uatech/badaso
2.9.11
Published
Aug 26, 2025
Tracked Since
Feb 18, 2026