CVE-2025-15009 MEDIUM

CVE-2025-15009: liweiyi ChestnutCMS Filename upload FilenameUtils.getExtension unrestricted upload

Vendor Liweiyi
Product ChestnutCMS
Weakness CWE-434 · Unrestricted file upload
Published December 22, 2025
Last update December 22, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used.

Key dates

02Disclosure timeline

December 22, 2025 CVE published
December 22, 2025 Record updated