Search for packages
| purl | pkg:composer/badaso/core@2.7.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-19n6-8ndj-cbeg
Aliases: CVE-2025-52353 GHSA-gqp9-jh35-439m |
An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-aduh-1gve-mfbk | Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. |
CVE-2022-41705
GHSA-g389-rf5p-fg56 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T20:13:10.185428+00:00 | GitLab Importer | Affected by | VCID-19n6-8ndj-cbeg | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/badaso/core/CVE-2025-52353.yml | 38.6.0 |
| 2026-06-12T18:40:46.402797+00:00 | GitLab Importer | Fixing | VCID-aduh-1gve-mfbk | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/badaso/core/CVE-2022-41705.yml | 38.6.0 |
| 2026-06-12T08:17:17.864815+00:00 | GithubOSV Importer | Fixing | VCID-aduh-1gve-mfbk | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-g389-rf5p-fg56/GHSA-g389-rf5p-fg56.json | 38.6.0 |
| 2026-06-11T20:33:25.181441+00:00 | GHSA Importer | Fixing | VCID-aduh-1gve-mfbk | https://github.com/advisories/GHSA-g389-rf5p-fg56 | 38.6.0 |