CVE-2025-29287: MCMS allows arbitrary file uploads in the ueditor component

April 21, 2025

An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file.

References

gist.github.com/erdan111/38dcb5150b523436fe01249b2542f02f
gitee.com/mingSoft/MCMS/commit/17679d8fae3df2b433478829b01ab05a56ffdbc8
gitee.com/mingSoft/MCMS/issues/IBOOTX
github.com/advisories/GHSA-3922-2r6r-r4fv
github.com/ming-soft/MCMS
nvd.nist.gov/vuln/detail/CVE-2025-29287

Code Behaviors & Features

Detect and mitigate CVE-2025-29287 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →