CVE-2025-66571

UNKNOWN 0.0

UNA CMS 9.0.0-RC1 - 14.0.0-RC4 PHP Object Injection

CVSS Score

0.0

EPSS Score

0.3%

EPSS Percentile

54th

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.

CWE	CWE-502
Vendor	unknown
Product	una cms
Published	Dec 4, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for unknown una cms

Be the first to know when new unknown vulnerabilities affecting unknown una cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / UNA CMS

9.0.0-RC1 ≤ 14.0.0-RC4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/52139 unacms.com: https://unacms.com github.com: https://github.com/unacms/una karmainsecurity.com: https://karmainsecurity.com/KIS-2025-01 vulncheck.com: https://www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injection

Credits

Egidio Romano aka EgiX