Unrated severityNVD Advisory· Published Sep 30, 2025· Updated Sep 30, 2025

Remote Code Execution via Unrestricted File Upload in PAD CMS

CVE-2025-7065

Description

Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all 3 templates: www, bip and ww+bip.

This product is End-Of-Life and producent will not publish patches for this vulnerability.

Affected products

Packagist/Cmsllm-fuzzy
Package: https://packagist.org/packages/typo3/cms
Polska Akademia Dostępności/PAD CMSv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cert.pl/posts/2025/09/CVE-2025-7063mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000