CVE-2025-70364HIGH 8.8EPSS p22.0%

CVE-2025-70364CVE-2025-70364

Description

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 22.0% · 2026-06-18T12:00:27Z
Published2026-04-09
Last modified2026-04-22

Underlying weaknesses· 1

CWE-94

References

  1. http://kiamo.com
  2. https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-41734
CVE
CVE-2025-29902
CVE
CVE-2025-29058
CVE
CVE-2025-50707
CVE
CVE-2026-31019
CVE
CVE-2025-63406
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.