CVE-2018-25409 HIGH

CVE-2018-25409: SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php

Vendor Simpkh

Product SIM-PKH

Weakness CWE-434 · Unrestricted file upload

Published May 30, 2026

Last update June 1, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.

Key dates

Disclosure timeline

May 30, 2026 CVE published

June 1, 2026 Record updated