CVE-2025-26325

CVE-2025-26325 affects ShopXO version 6.4.0 and involves an unrestricted file upload vulnerability in the ThemeDataService.php component. Classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to network-based access, low complexity, lack of authentication or user interaction requirements, and high potential impacts across confidentiality, integrity, and availability. The vulnerability was published on 2025-02-27.

Unauthenticated remote attackers can exploit this flaw over the network without privileges or user interaction. By uploading malicious files through the vulnerable ThemeDataService.php endpoint, attackers can achieve high-impact outcomes, including potential remote code execution, data compromise, or system disruption, as indicated by the CVSS metrics.

The issue is documented in GitHub issue #86 on the gongfuxiang/shopxo repository (https://github.com/gongfuxiang/shopxo/issues/86), where security practitioners should review for any disclosed patches, workarounds, or mitigation guidance.