CVE-2025-30091

Summary

In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after an installation has completed.

Affected Software

VendorProductVersion RangeStatus
TinyMoxieManager PHP0 < 4.0.0affected

Weaknesses

  • CWE-96: CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References