CVE-2025-66256 – Unauthenticated Arbitrary File Upload (patch_contents.php)

CVE ID : CVE-2025-66256

Published : Nov. 26, 2025, 12:41 a.m. | 19 minutes ago

Description : Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files.

The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.

Severity: 9.9 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2025-66265 – Insecure permissions in configuration directory (C:\usr)

CVE-2025-66264 – Unquoted Service path in AutoStart SYSTEM privileged service

CVE-2025-66260 – PostgreSQL SQL Injection (status_sql.php)

CVE-2025-66259 – Authenticated Root Remote Code Execution through improper filtering of HTTP post request parameters