关键信息: CVE编号: CVE-2025-65657 受影响版本: FeehiCMS version 2.1.1 漏洞类型: Remote Code Execution (RCE) via Unrestricted File Upload in Ad Management 漏洞详情: - Attackers can upload crafted PHP files due to lack of validation, sanitization or execution restrictions in the Ad Management section. - This results in RCE where the server executes the uploaded PHP file. Steps to exploit the vulnerability: 1. Login as a backend user. 2. Navigate to Ad Management. 3. Upload a JPEG file. 4. Interceptor request and change the file extension from "jpeg" to "php". 5. Modify the file content to contain PHP code, such as a backdoor: . 6. Server executes the PHP code, allowing RCE. Impact: - Successful exploitation allows attackers to execute arbitrary code on the target system, leading to a full compromise. Affected Code Repository: FeehiCMS is located at https://github.com/liufee/cms.