CVE-2025-1186

Medium

Published: 12 February 2025

Published

12 February 2025

Modified

03 July 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0008 23.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. It has been declared as critical. This vulnerability affects unknown code of the file /Control/Api/Api.php. The manipulation of the argument thumb leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Security Summary

CVE-2025-1186 is a critical deserialization vulnerability in dayrui XunRuiCMS versions up to 4.6.4, affecting unknown code within the file /Control/Api/Api.php. The issue arises from manipulation of the "thumb" argument, linked to CWE-20 (Improper Input Validation) and CWE-502 (Deserialization of Untrusted Data). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-12.

Attackers with low privileges can exploit this vulnerability remotely by manipulating the "thumb" parameter, potentially leading to low-level impacts on confidentiality, integrity, and availability. The exploit has been publicly disclosed and may be actively used.

Advisories and details are available via VulDB entries (ctiid.295090, id.295090, submit.495820), with a proof-of-concept exploit documented in a GitHub-hosted PDF at https://github.com/pwysec/d6qRhl/blob/main/1.pdf. No specific patches or mitigations are detailed in the available information.

Details

CWE(s): CWE-20CWE-502

Affected Products

xunruicms

≤ 4.6.4

References

https://github.com/pwysec/d6qRhl/blob/main/1.pdf
Broken Link · cna@vuldb.com
https://vuldb.com/?ctiid.295090
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.295090
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.495820
Third Party Advisory, VDB Entry · cna@vuldb.com