CVE-2025-12347HIGH 8.8EPSS p24.2%

CVE-2025-12347CVE-2025-12347

Description

A flaw has been found in MaxSite CMS up to 109. This issue affects some unknown processing of the file application/maxsite/admin/plugins/editor_files/save-file-ajax.php. Executing manipulation of the argument file_path/content can lead to unrestricted upload. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.2% · 2026-06-18T12:00:27Z
Published2025-10-28
Last modified2026-04-29

Underlying weaknesses· 2

CWE-284CWE-434

References

  1. https://note-hxlab.wetolink.com/share/lIWZkTHQPSVh
  2. https://vuldb.com/?ctiid.330137
  3. https://vuldb.com/?id.330137
  4. https://vuldb.com/?submit.674552

2

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-12346
CVE
CVE-2026-37700
CVE
CVE-2026-3395
CVE
CVE-2025-9415
CVE
CVE-2025-54757
CVE
CVE-2025-10480
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.