CVE-2025-64050

HIGH

REDAXO CMS 5.20.0 - Authenticated Remote Code Execution via Template Management PHP Injection

Title source: llm
STIX 2.1

Description

A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template.

Scores

CVSS v3 7.2
EPSS 0.0079
EPSS Percentile 51.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
redaxo/redaxo 5.20.0
redaxo/source 0 - 5.20.1Packagist
Published Nov 25, 2025
Tracked Since Feb 18, 2026