CVE-2025-69906

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

05/02/2026

Last modified:

05/02/2026

Description

Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution.

Impact

References to Advisories, Solutions, and Tools

https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE
https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager