CVE-2025-66571

EUVD-2025-201274
UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Common Weakness Enumeration
References
https://github.com/unacms/una
https://karmainsecurity.com/KIS-2025-01
https://unacms.com
https://www.exploit-db.com/exploits/52139
https://www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injection