Vulnerability Description
A flaw has been found in YiFang CMS up to 2.0.5. This affects the function mergeMultipartUpload of the file app/utils/base/plugin/P_file.php. This manipulation of the argument File causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wanglongcn | Yifang | <= 2.0.5 |
Related Weaknesses (CWE)
References
- https://github.com/August829/Yu/blob/main/20250811_3.mdBroken Link
- https://github.com/August829/Yu/blob/main/20250811_3.md#pocBroken Link
- https://vuldb.com/?ctiid.321236Permissions RequiredVDB Entry
- https://vuldb.com/?id.321236Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.632535Third Party AdvisoryVDB Entry
FAQ
What is CVE-2025-9400?
CVE-2025-9400 is a vulnerability with a CVSS score of 6.3 (MEDIUM). A flaw has been found in YiFang CMS up to 2.0.5. This affects the function mergeMultipartUpload of the file app/utils/base/plugin/P_file.php. This manipulation of the argument File causes unrestricted...
How severe is CVE-2025-9400?
CVE-2025-9400 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-9400?
Check the references section above for vendor advisories and patch information. Affected products include: Wanglongcn Yifang.