Home

Description

Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-17 | Updated 2025-12-18 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

2.4.0
affected

Credits

Mirabbas Ağalarov finder

References

www.exploit-db.com/exploits/51372 exploit

www.exploit-db.com/exploits/51372 (ExploitDB-51372) exploit

docs.s9y.org/ (Official Product Homepage) product

www.vulncheck.com/...d-remote-code-execution-via-file-upload (VulnCheck Advisory: Serendipity 2.4.0 Authenticated Remote Code Execution via File Upload) third-party-advisory

cve.org (CVE-2023-53933)

nvd.nist.gov (CVE-2023-53933)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.