Cyber Resilience

CVE-2025-10353

Critical

Published: 08 October 2025

Published
08 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0128 80.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10353 is a critical-severity Multiple Trailing Dot (CWE-43) vulnerability in Incibe (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-10353 is an unrestricted file upload vulnerability that leads to remote code execution in the melis-cms-slider module of Melis Technology's Melis Platform. The flaw resides in the endpoint /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm, where the mcsdetail_img parameter accepts arbitrary files without sufficient validation, enabling an attacker to place executable content on the server.

An unauthenticated remote attacker can exploit the issue by sending a crafted POST request containing a malicious file. Successful exploitation grants the ability to execute arbitrary code on the underlying server with the privileges of the web application process, resulting in full compromise of confidentiality, integrity, and availability.

Public references include a proof-of-concept on GitHub and an INCIBE advisory that addresses multiple vulnerabilities affecting the Melis Platform.

The EPSS score rose materially from a low baseline to a peak of 0.0758 on 2026-02-18 before receding, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Incibe
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References