Description
1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
Published: 2026-05-08
Score: 9.8 Critical
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An actor possessing SOURCE/WRITE permissions within the Translate Module can upload a PHP file together with a .htaccess file that causes the web server to execute the code. The flaw is a code‑execution weakness (CWE‑94) that permits arbitrary PHP to run, potentially compromising confidentiality, integrity, and availability of the application and underlying server.

Affected Systems

All 1C‑Bitrix installations up to and including version 25.100.500 that have the Translate Module enabled and grant any user the SOURCE/WRITE permission are affected. No published information indicates this issue exists in later releases.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is the web interface of the Translate Module and that an attacker must have an account with SOURCE/WRITE rights to exploit the flaw. The CVSS score of 9.8 classifies this as a critical remote code execution vulnerability. The EPSS score of 2 % suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only web‑access to the module and the appropriate permissions; no additional system privileges are mentioned.

Generated by OpenCVE AI on June 18, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patches for 1C‑Bitrix 25.100.500 or newer that address the Translate Module upload flaw
  • Restrict SOURCE/WRITE permissions on the Translate Module to a minimum set of trusted administrators
  • Configure the upload handler to reject PHP and .htaccess files, or whitelist only allowed file types and enforce strict MIME‑type checks
  • Update web‑server rules to prevent execution of files in the translation directory (e.g., deny all PHP execution in that folder)

Generated by OpenCVE AI on June 18, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title 1C‑Bitrix Translate Module Remote Code Execution via Uploaded PHP and .htaccess

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title 1C‑Bitrix Translate Module Remote Code Execution via Uploaded PHP and .htaccess

Tue, 16 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Translate Module File Upload in 1C‑Bitrix 25.100.500

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared 1c-bitrix
1c-bitrix 1c-bitrix
Vendors & Products 1c-bitrix
1c-bitrix 1c-bitrix

Wed, 13 May 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 01:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Translate Module File Upload in 1C‑Bitrix 25.100.500

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Upload of PHP and .htaccess in 1C‑Bitrix Translate Module
Weaknesses CWE-434

Mon, 11 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Upload of PHP and .htaccess in 1C‑Bitrix Translate Module
Weaknesses CWE-434

Fri, 08 May 2026 07:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description 1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
References

Subscriptions

1c-bitrix 1c-bitrix
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T19:07:24.400Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67887

cve-icon Vulnrichment

Updated: 2026-05-08T05:52:28.158Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T07:16:28.350

Modified: 2026-06-17T09:58:13.203

Link: CVE-2025-67887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:15:15Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')