CVE-2025-52353

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

Published: Aug 26, 2025
Updated: Aug 28, 2025
CVE: CVE-2025-52353
GHSA: GHSA-gqp9-jh35-439m
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
badaso / core	-	2.9.11.x

https://medium.com/@pat.sanitjairak/remote-code-execution-in-a-plain-view-0f86f183543d

Vulnerability Database

CVE-2025-52353