CVE-2025-56704

HIGH

Lepton-cms Leptoncms - Unrestricted File Upload

Title source: rule

Description

LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code.

References (4)

[Not Applicable] http://lepton.com

[Exploit, Third Party Advisory] https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_A.pdf

[Exploit, Third Party Advisory] https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_B.pdf

View Exploit ZIP pw:eip

[Exploit, Third Party Advisory] https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_C.pdf

Scores

CVSS v3 8.8

EPSS 0.0013

EPSS Percentile 31.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

lepton-cms/leptoncms 7.3.0

Published Dec 09, 2025

Tracked Since Feb 18, 2026