CVE-2025-69906

Published: Feb 5, 2026

Modified: Feb 6, 2026

PUBLISHED

Description

Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager

https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-69906

Description

Affected Products

References