CVE Catalog

CVE-2025-60641

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile - higher than 30% of all known CVEs

Summary

The file mexcel.php in Vfront 0.99.52 contains a vulnerability due to insecure deserialization of user-controlled input. The unserialize function is called on base64-decoded $_POST['mexcel'] data without validation or the allowed_classes option, allowing an attacker to inject arbitrary PHP objects. This can lead to remote code execution, SQL injection, path traversal, or denial of service.

Risk Assessment

The organization risks server compromise, data breaches, or service disruption. An attacker can exploit available classes in Vfront or its dependencies to achieve remote code execution.

Recommendation

Immediately update Vfront to the latest patched version. If an update is not possible, replace the unserialize call with a safe function like json_decode or use the allowed_classes option with an empty array.

Original NVD description (English source)

The file mexcel.php in the Vfront 0.99.52 codebase contains a vulnerable call to unserialize(base64_decode($_POST['mexcel'])), where $_POST['mexcel'] is user-controlled input. This input is decoded from base64 and deserialized without validation or use of the allowed_classes option, allowing an attacker to inject arbitrary PHP objects. This can lead to malicious behavior, such as Remote Code Execution (RCE), SQL Injection, Path Traversal, or Denial of Service, depending on the availability of exploitable classes in the Vfront codebase or its dependencies.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS