Home

Description

A vulnerability has been found in shanyu SyCms up to a242ef2d194e8bb249dc175e7c49f2c1673ec921. This issue affects the function addPost of the file Application/Admin/Controller/FileManageController.class.php of the component Administrative Panel. The manipulation leads to code injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer.

PUBLISHED Reserved 2025-12-27 | Published 2025-12-28 | Updated 2025-12-29 | Assigner VulDB




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 4.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
MEDIUM: 4.7CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
5.8AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Code Injection

Injection

Product status

a242ef2d194e8bb249dc175e7c49f2c1673ec921
affected

Timeline

2025-12-27:Advisory disclosed
2025-12-27:VulDB entry created
2025-12-27:VulDB entry last update

Credits

formanagain (VulDB User) reporter

References

vuldb.com/?id.338508 (VDB-338508 | shanyu SyCms Administrative Panel FileManageController.class.php addPost code injection) vdb-entry technical-description

vuldb.com/?ctiid.338508 (VDB-338508 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.712813 (Submit #712813 | SyCms 1.0 Unrestricted Upload) third-party-advisory

gitee.com/shanyu/SyCms/issues/IDCEWG exploit issue-tracking

cve.org (CVE-2025-15130)

nvd.nist.gov (CVE-2025-15130)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.