Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
CVE-2018-25409: SIM-PKH 2.4.1 allows attackers to upload malicious PHP files
CVE-2018-25409
Summary
Authenticated attackers can upload malicious PHP files through the SIM-PKH 2.4.1 system, which can lead to unauthorized code execution. This is a serious security risk that can allow attackers to take control of the system. To protect against this, update to a fixed version of SIM-PKH or apply a patch as soon as possible.
Original title
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can uploa...
Original description
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 30 May 2026 · Updated: 1 Jun 2026 · First seen: 30 May 2026