CVE-2025-9406

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-9406
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9406.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-9406
Published
2025-08-25T04:15:55.657Z
Modified
2026-03-14T12:47:26.373251Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A weakness has been identified in xuhuisheng lemon up to 1.13.0. This affects the function uploadImage of the file CmsArticleController.java of the component com.mossle.cms.web.CmsArticleController.uploadImage. This manipulation of the argument Upload causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.

References

Affected packages

Git / github.com/xuhuisheng/lemon

Affected ranges

Type
GIT
Repo
https://github.com/xuhuisheng/lemon
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2bf80b638538ea276fe91c74614befac6d5a8ab2
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.13.0"
        }
    ]
}

Affected versions

lemon-0.*
lemon-0.8.0
lemon-0.9.0
lemon-1.*
lemon-1.0.0
lemon-1.0.1
lemon-1.1.0
lemon-1.10.0
lemon-1.11.0
lemon-1.12.0
lemon-1.13.0
lemon-1.2.0
lemon-1.3.0
lemon-1.3.1
lemon-1.4.0
lemon-1.5.0
lemon-1.5.1
lemon-1.6.0
lemon-1.6.1
lemon-1.7.0
lemon-1.8.0
lemon-1.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9406.json"