{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-30T05:31:19.796","vulnerabilities":[{"cve":{"id":"CVE-2025-69906","sourceIdentifier":"cve@mitre.org","published":"2026-02-05T17:16:12.900","lastModified":"2026-06-17T10:00:55.437","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution."},{"lang":"es","value":"Monstra CMS v3.0.4 contiene una vulnerabilidad de carga arbitraria de archivos en el plugin Files Manager. La aplicación se basa en la validación de extensión de archivo basada en lista negra y almacena los archivos cargados directamente en un directorio accesible por web. Bajo configuraciones típicas de servidor, esto puede permitir a un atacante cargar archivos que son interpretados como código ejecutable, resultando en ejecución remota de código."}],"affected":[{"source":"cve@mitre.org","affectedData":[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-06T15:57:01.935012Z","id":"CVE-2025-69906","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-434"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:monstra:monstra_cms:3.0.4:*:*:*:*:*:*:*","matchCriteriaId":"A2226D9F-8476-4F0F-9DE3-21A8FE290533"}]}]}],"references":[{"url":"https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE","source":"cve@mitre.org","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager","source":"cve@mitre.org","tags":["Exploit"]}]}}]}