CVE-2025-64050

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-64050

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64050.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64050

Aliases

GHSA-xj9j-gjxg-7jvq

Published

2025-11-25T16:16:07.430Z

Modified

2026-04-10T05:33:39.584405Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template.

References

Affected packages

Git / github.com/redaxo/redaxo

Affected ranges

Type

GIT

Repo

https://github.com/redaxo/redaxo

Events

Introduced

Last affected

7bc8552a43850597d268eb128732e18aaa949c03

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.20.0"
        }
    ]
}

Affected versions

5.*

5.0.0

5.0.0-alpha7

5.0.0-beta1

5.0.0-beta2

5.0.0-rc

5.0.1

5.1.0

5.10.0

5.10.0-beta1

5.10.0-beta2

5.11.0

5.11.0-beta1

5.12.0

5.12.0-beta1

5.12.0-beta2

5.12.0-beta3

5.13.0

5.13.0-beta1

5.13.0-beta2

5.13.1

5.13.2

5.14.0

5.14.0-beta1

5.14.0-beta2

5.14.1

5.15.0

5.15.0-beta1

5.16.0

5.16.0-beta1

5.16.1

5.17.0

5.17.1

5.18.0

5.18.1

5.18.2

5.18.3

5.19.0

5.2.0

5.2.0-beta1

5.20.0

5.3.0

5.4.0

5.4.0-beta1

5.4.0-beta2

5.5.0

5.5.0-beta1

5.5.1

5.6.0

5.6.0-beta1

5.6.1

5.7.0

5.7.0-beta1

5.7.0-beta2

5.7.0-beta3

5.8.0

5.8.0-beta1

5.9.0

5.9.0-beta1

5.9.0-beta2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64050.json"