CVE-2025-9406 MEDIUM

CVE-2025-9406: xuhuisheng lemon CmsArticleController.java uploadImage unrestricted upload

Vendor Xuhuisheng
Product lemon
Weakness CWE-434 · Unrestricted file upload
Published August 25, 2025
Last update August 25, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A weakness has been identified in xuhuisheng lemon up to 1.13.0. This affects the function uploadImage of the file CmsArticleController.java of the component com.mossle.cms.web.CmsArticleController.uploadImage. This manipulation of the argument Upload causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.

Key dates

Disclosure timeline

August 25, 2025 CVE published
August 25, 2025 Record updated