CVE-2025-7063 CRITICAL

CVE-2025-7063: Remote Code Execution via Unrestricted File Upload in PAD CMS

Vendor Polska Akademia Dostępności
Product PAD CMS
Weakness CWE-434 · Unrestricted file upload
Published September 30, 2025
Last update September 30, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all 3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.

Key dates

02Disclosure timeline

September 30, 2025 CVE published
September 30, 2025 Record updated