CVE-2025-15109: Unrestricted Upload in jackq XCMS
A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2025-15109: Unrestricted Upload in jackq XCMS
Description
A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-12-26T23:14:13.733Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69502a2e91db97df3a0407c6
Added to database: 12/27/2025, 6:49:18 PM
Last updated: 12/27/2025, 9:41:38 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
LangChain core vulnerability allows prompt injection and data exposure
MediumCVE-2025-14177: CWE-125 Out-of-bounds Read in PHP Group PHP
MediumCVE-2025-14180: CWE-476 NULL Pointer Dereference in PHP Group PHP
HighCVE-2025-14178: CWE-787 Out-of-bounds Write in PHP Group PHP
MediumCVE-2025-15108: Use of Hard-coded Cryptographic Key in PandaXGO PandaX
MediumActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.