CVE-2025-0465 MEDIUM

CVE-2025-0465: AquilaCMS categories deserialization

Vendor N/A

Product AquilaCMS

Weakness CWE-502 · Unsafe deserialization

Published January 14, 2025

Last update January 14, 2025

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability was found in AquilaCMS 1.412.13. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/v2/categories. The manipulation of the argument PostBody.populate leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

January 14, 2025 CVE published

January 14, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-0465

Related vulnerabilities

04Related CVE

CVE-2025-30165 Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration CVE-2024-25100 WordPress Coupon Referral Program plugin < 1.8.4 - Unauthenticated PHP Object Injection vulnerability CVE-2024-24796 WordPress Event Manager for WooCommerce Plugin <= 4.1.1 is vulnerable to PHP Object Injection CVE-2024-8016 The Events Calendar Pro <= 7.0.2 - Authenticated (Administrator+) PHP Object Injection to Remote Code Execution CVE-2026-27095 WordPress Bus Ticket Booking with Seat Reservation plugin <= 5.6.0 - PHP Object Injection vulnerability