CVE-2025-66571
UNA CMS <14.0.0-RC4 - Code Injection
Title source: llmDescription
UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.
Exploits (1)
exploitdb
WORKING POC
by Egidio Romano · textwebappsmultiple
https://www.exploit-db.com/exploits/52139
References (5)
Scores
EPSS
0.0027
EPSS Percentile
49.7%
Classification
CWE
CWE-502
Status
draft
Timeline
Published
Dec 04, 2025
Tracked Since
Feb 18, 2026