CVE-2025-15264 MEDIUM

CVE-2025-15264: FeehiCMS TimThumb timthumb.php server-side request forgery

Vendor N/A
Product FeehiCMS
Weakness CWE-918 · SSRF
Published December 30, 2025
Last update December 30, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

December 30, 2025 CVE published
December 30, 2025 Record updated