Unrated severityNVD Advisory· Published Sep 30, 2025· Updated Sep 30, 2025

Remote Code Execution via Unrestricted File Upload in PAD CMS

CVE-2025-8120

Description

Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution.This issue affects all 3 templates: www, bip and ww+bip.

This product is End-Of-Life and producent will not publish patches for this vulnerability.

Affected products

Polska Akademia Dostępności/PAD CMSv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cert.pl/posts/2025/09/CVE-2025-7063mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000