CVE-2023-53924 HIGH

CVE-2023-53924: UliCMS 2023.1-sniffing-vicuna Remote Code Execution via Avatar Upload

Vendor Ulicms
Product Ulicms
Weakness CWE-434 · Unrestricted file upload
Published December 17, 2025
Last update April 7, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.

Key dates

02Disclosure timeline

December 17, 2025 CVE published
April 7, 2026 Record updated