Platform
php
Component
lin-cms-tp5
Fixed in
0.3.1
0.3.2
0.3.3
0.3.4
CVE-2025-15129 describes an Unrestricted File Upload vulnerability affecting Lin-CMS-TP5, a PHP-based content management system. This flaw allows attackers to upload arbitrary files, potentially leading to code execution and complete system compromise. The vulnerability impacts versions 0.3.0 through 0.3.3, and a fix is available in version 0.3.4. The project has not responded to an early issue report.
The primary impact of CVE-2025-15129 is the ability for an attacker to upload and execute arbitrary code on the server hosting Lin-CMS-TP5. This can lead to complete system takeover, data exfiltration, and denial of service. Given the unrestricted nature of the upload, attackers are not limited to specific file types, enabling them to upload web shells or other malicious code. Successful exploitation could allow an attacker to modify website content, steal sensitive data stored within the CMS, or even pivot to other systems on the network. The availability of a public exploit significantly increases the risk of exploitation.
CVE-2025-15129 has a public proof-of-concept available, indicating a high likelihood of exploitation. The vulnerability was disclosed on 2025-12-28 and the project has not responded to an early issue report, increasing the risk. While not yet listed on CISA KEV, the availability of a public exploit warrants close monitoring and immediate mitigation efforts.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15129 is to immediately upgrade Lin-CMS-TP5 to version 0.3.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict file type validation on the server-side, restricting upload directory permissions, and disabling the vulnerable LocalUploader.php component. Web application firewalls (WAFs) configured to block suspicious file uploads can also provide a layer of defense. Monitor access logs for unusual file upload activity and implement intrusion detection system (IDS) rules to identify potential exploitation attempts. After upgrading, confirm the vulnerability is resolved by attempting to upload a test file with a known malicious extension.
Update Lin-CMS-TP5 to a version later than 0.3.3, if available, to fix the code injection vulnerability. If no patched version is available, consider disabling the file upload function or implementing robust validations and sanitization in the application/lib/file/LocalUploader.php file to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15129 is a medium severity vulnerability in Lin-CMS-TP5 versions 0.3.0–0.3.3 that allows attackers to upload arbitrary files, potentially leading to code execution.
You are affected if you are using Lin-CMS-TP5 versions 0.3.0 through 0.3.3. Upgrade to version 0.3.4 to mitigate the risk.
Upgrade Lin-CMS-TP5 to version 0.3.4. If upgrading is not possible, implement temporary workarounds like file type validation and restricting upload directory permissions.
Yes, a public proof-of-concept is available, indicating a high likelihood of active exploitation.
As of the current date, there is no official advisory from the Lin-CMS-TP5 project. Monitor their website and relevant security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.