{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-14532","assignerOrgId":"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6","state":"PUBLISHED","assignerShortName":"CERT-PL","dateReserved":"2025-12-11T10:04:25.964Z","datePublished":"2026-03-02T12:49:05.217Z","dateUpdated":"2026-03-02T13:34:55.888Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"DobryCMS","vendor":"Studio Fabryka","versions":[{"lessThanOrEqual":"1.*","status":"affected","version":"1.0","versionType":"semver"},{"lessThanOrEqual":"2.*","status":"affected","version":"2.0","versionType":"semver"},{"status":"affected","version":"5.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Dawid Radziński (RED SECURITY)"}],"datePublic":"2026-03-02T10:55:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution.<br><br>This issue was fixed in versions above 5.0."}],"value":"DobryCMS's upload file functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can result in Remote Code Execution.\n\nThis issue was fixed in versions above 5.0."}],"impacts":[{"capecId":"CAPEC-253","descriptions":[{"lang":"en","value":"CAPEC-253 Remote Code Inclusion"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-434","description":"CWE-434 Unrestricted Upload of File with Dangerous Type","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6","shortName":"CERT-PL","dateUpdated":"2026-03-02T12:49:05.217Z"},"references":[{"url":"https://cert.pl/posts/2026/03/CVE-2025-12462/"}],"source":{"discovery":"EXTERNAL"},"title":"Remote Code Execution via Unrestricted File Upload in DobryCMS","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-02T13:34:48.057861Z","id":"CVE-2025-14532","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-02T13:34:55.888Z"}}]}}