CVE Catalog

CVE-2026-53691

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Summary

An unrestricted file upload vulnerability in Redeight CMS 1.0 allows authenticated attackers to achieve remote code execution (RCE) via the POST /admin/index.php?module=pages&mode=FileAdd endpoint. The application fails to validate file extensions and MIME types, permitting arbitrary PHP scripts to be uploaded to the /uploads/files/ directory where they are executed by the web server.

Risk Assessment

An attacker can take over the server, execute arbitrary PHP code, access sensitive data, or install malware, leading to full system compromise.

Recommendation

Immediately update Redeight CMS to the latest version, implement server-side file type and extension validation, and restrict execution permissions on the uploads directory (e.g., disable script execution).

Original NVD description (English source)

An Unrestricted File Upload vulnerability in Redeight CMS version 1.0 allows authenticated attackers to achieve Remote Code Execution via the POST "/admin/index.php?module=pages&mode=FileAdd" endpoint. The application fails to validate file extensions and MIME types, permitting the upload of arbitrary PHP scripts to the publicly accessible "/uploads/files/" directory where they can be executed directly by the web server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS