CVE-2025-70364

HIGH

Kiamo < 8.4 - Authenticated PHP Code Execution

Title source: llm

Description

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4.

References (2)

Core 2

Core References

http://kiamo.com

https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0031

EPSS Percentile 22.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Published Apr 09, 2026

Tracked Since Apr 09, 2026