Description
UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.
Published: 2025-12-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

UNA CMS versions 9.0.0-RC1 through 14.0.0-RC4 expose a PHP object injection flaw in BxBaseMenuSetAclLevel.php. The vulnerability arises because the profile_id POST parameter is passed directly to PHP unserialize() without sanitization, allowing an attacker to inject arbitrary PHP objects. This flaw can lead to the execution of malicious PHP code, providing full control over the affected web server and compromising confidentiality, integrity, and availability. The weakness is identified as CWE-502.

Affected Systems

The affected system is UNA CMS, a content management platform. All releases from version 9.0.0-RC1 up to 14.0.0-RC4 are vulnerable. No specific distribution vendor beyond UNA CMS is listed, but any deployment using these releases is at risk.

Risk and Exploitability

The CVSS score of 9.3 reflects the severity of arbitrary code execution possible without authentication. The EPSS score of less than 1% indicates that, despite high severity, the probability of exploitation in the wild is currently low, likely due to limited exposure or discovery. The vulnerability is not yet listed in CISA's KEV catalog. The most probable attack vector is a remote, unauthenticated POST request to the BxBaseMenuSetAclLevel.php endpoint with a crafted profile_id value. An attacker would need to send a serialized payload that instantiates objects capable of performing write and execute operations on the server.

Generated by OpenCVE AI on April 22, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest UNA CMS update that addresses the object injection flaw; if a patch is available, upgrade immediately.
  • If an upgrade is not available, restrict external access to the BxBaseMenuSetAclLevel.php endpoint or limit POST requests to authenticated users only, effectively blocking unauthenticated exploitation.
  • Disable PHP's unserialize() for untrusted data by adding 'unserialize' to php.ini's disable_functions setting or by employing a wrapper that validates serialized strings before deserialization. This blocks object creation until a patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Unacms
Unacms una
Vendors & Products Unacms
Unacms una

Thu, 04 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.
Title UNA CMS 9.0.0-RC1 - 14.0.0-RC4 PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Unacms Una
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:49.440Z

Reserved: 2025-12-04T16:17:41.799Z

Link: CVE-2025-66571

cve-icon Vulnrichment

Updated: 2025-12-05T16:46:16.294Z

cve-icon NVD

Status : Deferred

Published: 2025-12-04T21:16:09.747

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-66571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses