CVE-2025-50881HIGH 8.8EPSS p51.7%

CVE-2025-50881CVE-2025-50881

Description

The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthesis `(`, allowing an attacker to append arbitrary PHP code after a valid method call structure. Successful exploitation allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.80% probability of exploitation · percentile 51.7% · 2026-06-18T12:00:27Z
Published2026-03-16
Last modified2026-04-27

Underlying weaknesses· 1

CWE-94

References

  1. http://advanced.com
  2. http://use.com
  3. https://github.com/0xdeadbit/CVE-2025-50881

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-11585
CVE
CVE-2025-15405
CVE
CVE-2026-5333
CVE
CVE-2025-41734
CVE
CVE-2025-10118
CVE
CVE-2025-50706
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.