VYPR
Unrated severityNVD Advisory· Published Dec 17, 2025· Updated Apr 7, 2026

UliCMS 2023.1-sniffing-vicuna Remote Code Execution via Avatar Upload

CVE-2023-53924

Description

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • UliCMS/UliCMSllm-fuzzy2 versions
    = 2023.1-sniffing-vicuna+ 1 more
    • (no CPE)range: = 2023.1-sniffing-vicuna
    • (no CPE)range: 2023.1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.