CVE-2025-67325

CRITICAL

Webkul Qloapps < 1.7.0 - Unrestricted File Upload

Title source: rule

Description

Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution.

Exploits (1)

nomisec WORKING POC

by mr7s3d0 · poc

https://github.com/mr7s3d0/CVE-2025-67325

View Code ZIP pw:eip

References (2)

[Product] https://github.com/Qloapps/QloApps

[Exploit, Third Party Advisory] https://github.com/mr7s3d0/CVE-2025-67325

Scores

CVSS v3 9.8

EPSS 0.0029

EPSS Percentile 52.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

webkul/qloapps < 1.7.0

Published Jan 08, 2026

Tracked Since Feb 18, 2026