CVE-2025-14522
Dec. 12, 2025, 3:18 p.m.
5.3
Medium
Description
A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Product(s) Impacted
| Product | Versions |
|---|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Tags
CVSS Score
CVSS Data - 4.0
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Attack Requirements: NONE
- Privileges Required: LOW
- User Interaction: NONE
- Scope:
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: LOW
- Exploit Maturity: PROOF_OF_CONCEPT
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
Published: Dec. 11, 2025, 4:16 p.m.
Last Modified: Dec. 12, 2025, 3:18 p.m.
Last Modified: Dec. 12, 2025, 3:18 p.m.
Status : Awaiting Analysis
CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
More infoSource
cna@vuldb.com
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.