CVE-2025-70364

HIGH

Kiamo <8.4 - Code Injection

Title source: llm

Description

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4.

References (2)

http://kiamo.com

https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0005

EPSS Percentile 16.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Published Apr 09, 2026

Tracked Since Apr 09, 2026