cvedb.io
CVE-2025-65806
MEDIUM · CVSS 4.3
EPSS exploitation probability: 0%
Published 2025-12-04T20:16:19.563 · Last modified 2026-06-17T09:55:56.957

Summary

The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets.

Affected products

e-point — e-point_cms

Does this affect you?

Add your gear to cvedb and we'll alert you only when e-point ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.