Critical severityNVD Advisory· Published Dec 4, 2025· Updated Apr 15, 2026

CVE-2025-66571

Description

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.

Affected products

Unacms/Unareferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

karmainsecurity.com/KIS-2025-01nvd
unacms.comnvd
www.exploit-db.com/exploits/52139nvd
www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injectionnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000