Home > Vulnerability Database > CVE-2025-61505

Mend.io Vulnerability Database

CVE-2025-61505

Date: October 9, 2025

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the "install.php" script. The script processes user-controlled input in the "previous_steps" POST parameter using "unserialize(base64_decode())" without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

Severity Score

6.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-61505

Url: https://github.com/e107inc/e107/blob/master/install.php

Url: https://xancatos.org/cve202561505

Url: https://www.mend.io/vulnerability-database/CVE-2025-61505

Severity Score

6.5

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-61505

Date: October 9, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?