CVE-2025-67077

HIGH

Agora-project < 25.10 - Unrestricted File Upload

Title source: rule

Description

File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action.

References (2)

[Product] https://www.agora-project.net

[Third Party Advisory] https://www.helx.io/blog/advisory-agora-project/

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 6.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

agora-project/agora-project < 25.10

Published Jan 15, 2026

Tracked Since Feb 18, 2026