CVE-2023-53914 CRITICAL

CVE-2023-53914: UliCMS 2023.1 Authentication Bypass via Mass Assignment Vulnerability

Vendor Ulicms
Product Ulicms
Weakness CWE-639 · IDOR
Published December 17, 2025
Last update April 7, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access.

Key dates

02Disclosure timeline

December 17, 2025 CVE published
April 7, 2026 Record updated