CVE-2025-5327 MEDIUM

CVE-2025-5327: chshcms mccms Gf.php index server-side request forgery

Vendor Chshcms

Product mccms

Weakness CWE-918 · SSRF

Published May 29, 2025

Last update May 29, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability was found in chshcms mccms 2.7. It has been classified as critical. This affects the function index of the file sys/apps/controllers/api/Gf.php. The manipulation of the argument pic leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

May 29, 2025 CVE published

May 29, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-5327 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2026-7084 HBAI-Ltd Toonflow-app getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery CVE-2026-26135 Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability CVE-2023-4769 Server-Side Request Forgery in ManageEngine Desktop Central CVE-2025-32675 WordPress SEO Help plugin <= 6.7.9 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-32013 Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System