CVE-2025-61505

MEDIUM

e107 CMS <2.3.3 - Deserialization

Title source: llm

Description

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

Exploits (1)

nomisec WRITEUP 1 stars

by pescada-dev · poc

https://github.com/pescada-dev/CVE-2025-61505

View Code ZIP pw:eip

References (2)

[Product] https://github.com/e107inc/e107/blob/master/install.php

[Mitigation, Third Party Advisory] https://xancatos.org/cve202561505

Scores

CVSS v3 6.5

EPSS 0.0036

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (1)

e107/e107 < 2.3.3

Published Oct 10, 2025

Tracked Since Feb 18, 2026