CVE-2018-25409

HIGH 8.8

SIM-PKH 2.4.1 Arbitrary File Upload via aksi_pengurus.php

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.

CWE	CWE-434
Vendor	simpkh
Product	sim-pkh
Published	May 30, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for simpkh sim-pkh

Be the first to know when new high vulnerabilities affecting simpkh sim-pkh are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Simpkh / SIM-PKH

2.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/45659 simpkh.sourceforge.io: https://simpkh.sourceforge.io/ sourceforge.net: https://sourceforge.net/projects/simpkh/files/latest/download vulncheck.com: https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php

Credits

Ihsan Sencan