CVE-2023-53952 HIGH

CVE-2023-53952: Dotclear 2.25.3 Authenticated Remote Code Execution via File Upload

Vendor Dotclear
Product Dotclear
Weakness CWE-434 · Unrestricted file upload
Published December 19, 2025
Last update April 7, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server.

Key dates

02Disclosure timeline

December 19, 2025 CVE published
April 7, 2026 Record updated