CVE-2025-69906

HIGH

Monstra CMS 3.0.4 - Remote Code Execution via Files Manager Plugin File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-69906. PoCs published by cypherdavy.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-69906, an arbitrary file upload vulnerability in Monstra CMS 3.0.4. It includes vulnerable code snippets, bypass techniques, and impact assessment, but does not contain functional exploit code.

Description

Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution.

Exploits (1)

nomisec WRITEUP 3 stars
by cypherdavy · poc
https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE

This repository provides a detailed technical analysis of CVE-2025-69906, an arbitrary file upload vulnerability in Monstra CMS 3.0.4. It includes vulnerable code snippets, bypass techniques, and impact assessment, but does not contain functional exploit code.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Monstra CMS <= 3.0.4
Auth required
Prerequisites: Authenticated access to the Files Manager plugin
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0068
EPSS Percentile 47.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
monstra/monstra_cms 3.0.4
Published Feb 05, 2026
Tracked Since Feb 18, 2026