CVE-2025-10353
Published: 08 October 2025
Summary
CVE-2025-10353 is a critical-severity Multiple Trailing Dot (CWE-43) vulnerability in Incibe (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-10353 is an unrestricted file upload vulnerability that leads to remote code execution in the melis-cms-slider module of Melis Technology's Melis Platform. The flaw resides in the endpoint /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm, where the mcsdetail_img parameter accepts arbitrary files without sufficient validation, enabling an attacker to place executable content on the server.
An unauthenticated remote attacker can exploit the issue by sending a crafted POST request containing a malicious file. Successful exploitation grants the ability to execute arbitrary code on the underlying server with the privileges of the web application process, resulting in full compromise of confidentiality, integrity, and availability.
Public references include a proof-of-concept on GitHub and an INCIBE advisory that addresses multiple vulnerabilities affecting the Melis Platform.
The EPSS score rose materially from a low baseline to a peak of 0.0758 on 2026-02-18 before receding, indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31830
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.