CVE 8.8 HIGH

CVE-2025-69906_CVE-2025-69906

February 6, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution.

AI Analysis

Arbitrary file upload vulnerability in the Files Manager plugin, allowing remote code execution

Basic Information

ID CVE-2025-69906

Source mitre

Published Feb 5, 2026 at 00:00

Modified Feb 6, 2026 at 15:57

Affected Product

Vendor Monstra CMS Team

Product Monstra CMS

Version 3.0.4

Affected Versions n/a n/a n/a

CWE Classification

CWE-434

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Monstra CMS Team

Product Monstra CMS

Version 3.0.4

References

{
    "lastseen": "",
    "description": "Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution.",
    "published": "2026-02-05T00:00:00.000Z",
    "modified": "2026-02-06T15:57:50.945Z",
    "type": "cve",
    "title": "CVE-2025-69906",
    "source": "mitre",
    "references": "https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager\nhttps://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE",
    "id": "CVE-2025-69906",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Monstra CMS",
    "version": "3.0.4",
    "vendor": "Monstra CMS Team",
    "ai_description": "Arbitrary file upload vulnerability in the Files Manager plugin, allowing remote code execution",
    "ai_severity": "High",
    "ai_vendor": "Monstra CMS Team",
    "ai_product": "Monstra CMS",
    "ai_version": "3.0.4",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply