216.73.216.86

CVE-2025-60641

· Published 16/10/2025 18:15 · Modified 16/10/2025 20:15

Labels: CVE-2025-60641 2025-10-16CVE-2025-60641CWE-89[email protected]

Essential information

Published
16/10/2025 18:15
Modified
16/10/2025 20:15
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS metrics

Description

The file mexcel.php in the Vfront 0.99.52 codebase contains a vulnerable call to unserialize(base64_decode($_POST['mexcel'])), where $_POST['mexcel'] is user-controlled input. This input is decoded from base64 and deserialized without validation or use of the allowed_classes option, allowing an attacker to inject arbitrary PHP objects. This can lead to malicious behavior, such as Remote Code Execution (RCE), SQL Injection, Path Traversal, or Denial of Service, depending on the availability of exploitable classes in the Vfront codebase or its dependencies.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
vfront / vfront cpe:2.3:a:vfront:vfront:0.99.52:*:*:*:*:*:*:*

References