CVE-2025-30091

In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after an installation has completed.
Static Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
mitreCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Common Weakness Enumeration
References
https://www.moxiemanager.com/changelog/
https://www.moxiemanager.com/documentation/SEC-1063.php