CVE-2025-66571

CRITICAL

UNA CMS <14.0.0-RC4 - Code Injection

Title source: llm

Description

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.

Exploits (1)

exploitdb WORKING POC

by Egidio Romano · textwebappsmultiple

https://www.exploit-db.com/exploits/52139

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/52139

[Various Sources] https://unacms.com

[Various Sources] https://github.com/unacms/una

[Various Sources] https://karmainsecurity.com/KIS-2025-01

[Third Party Advisory] https://www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injection

Scores

CVSS v4 9.3

EPSS 0.0031

EPSS Percentile 54.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

None/UNA CMS 9.0.0-RC1 - 14.0.0-RC4

Unknown/UNA CMS 9.0.0-RC1 - 14.0.0-RC4

Published Dec 04, 2025

Tracked Since Feb 18, 2026