cbcvebase.
CVE-2012-10050
published 2025-08-08

CVE-2012-10050: CuteFlow version 2.11.2 and earlier contains an arbitrary file upload vulnerability in the restart_circulation_values_write.php script. The application fails…

PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.22%
64.8th percentile
CuteFlow version 2.11.2 and earlier contains an arbitrary file upload vulnerability in the restart_circulation_values_write.php script. The application fails to validate or restrict uploaded file types, allowing unauthenticated attackers to upload arbitrary PHP files to the upload/___1/ directory. These files are then accessible via the web server, enabling remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
cuteflow.orgcuteflow<= 2.11.2

Detection & IOCsextracted from sources · hover to see the quote

pathupload/___1/
pathrestart_circulation_values_write.php
  • Monitor for unauthenticated POST requests to restart_circulation_values_write.php, which is the vulnerable upload endpoint.
  • Alert on PHP files written to or served from the upload/___1/ directory, as this is the attacker-controlled drop location for webshells/payloads.
  • Detect HTTP GET/POST requests to upload/___1/*.php, which would indicate attempted or successful remote code execution following exploitation.
  • ·Vulnerability affects CuteFlow version 2.11.2 and earlier; verify target version before applying detections to avoid false positives on patched instances.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.