Platform
php
Component
powercms
Fixed in
6.7.1
5.3.1
4.6.1
CVE-2025-46359 describes a path traversal vulnerability discovered in the backup and restore feature of PowerCMS. This flaw allows a malicious product administrator to potentially execute arbitrary code by crafting and restoring a specially designed backup file. The vulnerability affects versions of PowerCMS up to and including 6.7, with a fix available in version 6.7.1.
The path traversal vulnerability in PowerCMS allows an attacker with product administrator privileges to bypass intended access controls. By crafting a malicious backup file containing path traversal sequences (e.g., ../../../../etc/passwd), an attacker can potentially read sensitive files from the server's file system. More critically, the ability to restore a crafted backup could allow an attacker to overwrite existing system files or inject malicious code, leading to remote code execution (RCE). This could result in complete system compromise, data theft, and denial of service.
CVE-2025-46359 was publicly disclosed on 2025-07-31. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability's severity is rated HIGH (7.2) based on the CVSS score, indicating a reasonable probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.25% (48% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-46359 is to immediately upgrade PowerCMS to version 6.7.1 or later. If upgrading is not immediately feasible, consider restricting access to the backup and restore functionality to trusted administrators only. Implement strict input validation on all files uploaded for backup, specifically looking for path traversal sequences. Web application firewalls (WAFs) configured to detect and block path traversal attempts can provide an additional layer of defense. After upgrading, confirm the fix by attempting to restore a backup file from a different directory than the expected location; the restoration should fail with an appropriate error message.
Actualice PowerCMS a la última versión disponible proporcionada por el proveedor, Alfasado Inc. Consulte las notas de la versión 6.71, 5.31 o 4.61 para obtener detalles específicos sobre la corrección de este problema de path traversal. Asegúrese de realizar una copia de seguridad de su sistema antes de aplicar la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-46359 is a path traversal vulnerability in PowerCMS versions up to 6.7, allowing attackers to potentially execute arbitrary code by restoring a crafted backup file.
You are affected if you are running PowerCMS versions 6.7 or earlier. Upgrade to 6.7.1 to mitigate the risk.
Upgrade PowerCMS to version 6.7.1 or later. As a temporary workaround, restrict access to the backup and restore feature to trusted administrators.
As of 2025-07-31, there are no publicly known active exploitation campaigns targeting CVE-2025-46359.
Refer to the official PowerCMS security advisory for detailed information and updates regarding CVE-2025-46359.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.