CVE-2025-66571

N/A Unknown
Published: December 04, 2025 Modified: December 08, 2025
View on NVD

Description

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/unacms/una
Source: disclosure@vulncheck.com
https://karmainsecurity.com/KIS-2025-01
Source: disclosure@vulncheck.com
https://unacms.com
Source: disclosure@vulncheck.com
https://www.exploit-db.com/exploits/52139
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injection
Source: disclosure@vulncheck.com

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.2%
46th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-502

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A