GHSA-xj9j-gjxg-7jvq

Source

https://github.com/advisories/GHSA-xj9j-gjxg-7jvq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-xj9j-gjxg-7jvq/GHSA-xj9j-gjxg-7jvq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xj9j-gjxg-7jvq

Aliases

CVE-2025-64050

Published

2025-11-25T18:32:22Z

Modified

2025-11-26T22:27:49.952831Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

REDAXO CMS is vulnerable to RCE attack through its template management component

Details

A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template.

Database specific

{
    "nvd_published_at": "2025-11-25T16:16:07Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2025-11-26T22:00:29Z"
}

References

Affected packages

Packagist / redaxo/source

Package

Name: redaxo/source
Purl: pkg:composer/redaxo/source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.20.1

Affected versions

5.*

5.10.0-beta1

5.10.0-beta2

5.10.0

5.10.1

5.11.0-beta1

5.11.0

5.11.1

5.11.2

5.12.0-beta1

5.12.0-beta2

5.12.0-beta3

5.12.0

5.12.1

5.13.0-beta1

5.13.0-beta2

5.13.0

5.13.1

5.13.2

5.13.3

5.14.0-beta1

5.14.0-beta2

5.14.0

5.14.1

5.14.2

5.14.3

5.15.0-beta1

5.15.0

5.15.1

5.16.0-beta1

5.16.0

5.16.1

5.17.0

5.17.1

5.18.0

5.18.1

5.18.2

5.18.3

5.19.0

5.20.0