CVE-2025-61505

MEDIUM

e107 CMS <2.3.3 - Deserialization

Title source: llm

Description

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

Exploits (1)

nomisec WRITEUP 1 stars
by pescada-dev · poc
https://github.com/pescada-dev/CVE-2025-61505

References (2)

Scores

CVSS v3 6.5
EPSS 0.0033
EPSS Percentile 55.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

CWE
CWE-502
Status published

Affected Products (1)

e107/e107 < 2.3.3

Timeline

Published Oct 10, 2025
Tracked Since Feb 18, 2026