Back to KEVs

CVE-2025-10353

Missing Authorization vulnerability in Melis Platform

Basic Information

CVE State
PUBLISHED
Reserved Date
September 12, 2025
Published Date
October 08, 2025
Last Updated
December 11, 2025
Vendor
Melis Technology
Product
Melis Platform
Description
File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.
Tags
nuclei_scanner

CVSS Scores

CVSS v4.0

9.3 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2026-04-28 00:00:00 UTC) Source

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-melis-platform https://github.com/ivansmc00/CVE-2025-10353-POC

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2026-04-28 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-10353.yaml 2026-06-01 15:34:40 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei