Description
An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution.
Published: 2025-07-10
Score: 9.3 Critical
EPSS: 79.3% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from an unrestricted file upload in BuilderEngine 3.5.0 where the elFinder 2.0 file manager fails to enforce file type or storage restrictions. The underlying jQuery File Upload component accepts any file without validating its MIME type or destination, allowing an attacker to upload a malicious .php file that the web server then executes. This flaw is a classic example of CWE-434 (Unrestricted Upload of a Dangerous Type) compounded by CWE-20 (Improper Input Validation) and CWE-306 (Missing Authentication for a Critical Function). If exploited, the attacker gains complete control over the web server process, can modify or delete data, and potentially pivot to other network assets.

Affected Systems

This issue affects installations of BuilderEngine CMS version 3.5.0. No other versions are mentioned in the advisory and no additional releases are indicated as vulnerable.

Risk and Exploitability

The CVSS score of 9.3 marks it as critical, and the EPSS score of 79% reflects a high likelihood of exploitation. Although it is not listed in the CISA KEV catalog, the attack path is straightforward: unauthenticated users can submit a file via the upload endpoint, causing the server to execute it. Because the flaw permits arbitrary PHP files, an attacker can achieve full system compromise, tamper with data, or move laterally to other resources.

Generated by OpenCVE AI on May 6, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest BuilderEngine release that includes the upload validation fix or install the official patch for version 3.5.0.
  • Immediately disable or restrict the elFinder upload endpoint for unauthenticated users until a fix is applied.
  • Reconfigure or replace the jQuery File Upload component to enforce strict MIME type filtering and disallow script extensions in publicly accessible upload directories.

Generated by OpenCVE AI on May 6, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21028 An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00255}

 epss

{'score': 0.00362}

Fri, 11 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00255}

Fri, 11 Jul 2025 13:30:00 +0000

Type Values Removed Values Added
Metrics epss

{}

Thu, 10 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
Description An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine’s improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution.
Title BuilderEngine 3.5.0 RCE via Unauthenticated Arbitrary File Upload
Weaknesses CWE-20
CWE-306
CWE-434
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:29.072Z

Reserved: 2025-04-15T19:15:22.556Z

Link: CVE-2025-34100

cve-icon Vulnrichment

Updated: 2025-07-10T20:29:23.308Z

cve-icon NVD

Status : Deferred

Published: 2025-07-10T20:15:25.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses