CVE-2025-66256 – Unauthenticated Arbitrary File Upload (patch_contents.php)

CVE ID : CVE-2025-66256

Published : Nov. 26, 2025, 12:41 a.m. | 19 minutes ago

Description : Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files.

The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.

Severity: 9.9 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2025-66257 – Unauthenticated Arbitrary File Deletion (patch_contents.php)

CVE-2025-66255 – Unauthenticated Arbitrary File Upload (upgrade_contents.php)

CVE-2025-66254 – Unauthenticated Arbitrary File Deletion (upgrade_contents.php)

CVE-2025-66253 – Unauthenticated OS Command Injection (start_upgrade.php)