CVE-2025-69906
Published: 05 February 2026
Summary
CVE-2025-69906 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Monstra Monstra Cms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69906 is an arbitrary file upload vulnerability in the Files Manager plugin of Monstra CMS version 3.0.4. The application performs blacklist-based validation of file extensions and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this allows attackers to upload files interpreted as executable code, resulting in remote code execution. The vulnerability is associated with CWE-434 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), published on 2026-02-05.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely with low complexity and no user interaction. By uploading a malicious file that bypasses the blacklist—such as one with a double extension or other evasion techniques—the attacker can place executable code in the web root. This leads to remote code execution, providing high-impact access to confidentiality, integrity, and availability on the affected server.
Advisories and references include a GitHub repository documenting the vulnerability and proof-of-concept (https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE) and the source code for the Files Manager plugin (https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager). No patches or specific mitigations are detailed in the CVE description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206862
Vulnerability details
Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker…
more
to upload files that are interpreted as executable code, resulting in remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing CMS plugin enables exploitation of public-facing application (T1190) via blacklist bypass (e.g., double extension), allowing upload of executable web shells (T1505.003) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the arbitrary file upload flaw in the Files Manager plugin by requiring timely patching of the vulnerable Monstra CMS component.
Enforces proper validation of file uploads at input points, preventing blacklist bypass techniques that enable executable code uploads.
Deploys malicious code protection mechanisms to scan and eradicate uploaded executable files before they can be interpreted and executed in the web-accessible directory.