CVE-2025-8120
CRITICALWidzialni Pad Cms < 1.2.1 - Unrestricted File Upload
Title source: ruleDescription
Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution.This issue affects all 3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.
References (1)
Core 1
Core References
Third Party Advisory
https://cert.pl/posts/2025/09/CVE-2025-7063
Scores
CVSS v3
9.8
EPSS
0.0031
EPSS Percentile
54.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-434
Status
published
Products (1)
widzialni/pad_cms
< 1.2.1
Published
Sep 30, 2025
Tracked Since
Feb 18, 2026