CVE-2025-10353

Missing Authorization vulnerability in Melis Platform

CVSS 9.3 CRITICALEPSS 2.5%CWE-43

File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Melis Technology · Melis Platform

public PoCs found — 2

githubgithub.com/tempiltin/CVE-2025-10353-POC★ 2 cve_referencegithub.com/ivansmc00/CVE-2025-10353-POCunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ivansmc00/CVE-2025-10353-POC https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-melis-platform