-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| silverstripe/framework | composer | >= 3.6.5-rc1, < 3.6.6 | 3.6.6 |
| silverstripe/framework | composer | >= 4.0.3-rc1, < 4.0.4 | 4.0.4 |
| silverstripe/framework | composer | >= 4.1.0-rc1, < 4.1.1 | 4.1.1 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the default configuration of the File.allowed_extensions array in the File class, which included dangerous file types. The core issue is not in specific functions but in the presence of risky extensions in this configuration array. The commit patch modifies this static configuration property (removing .css, .js, etc.), indicating the vulnerability was caused by misconfiguration rather than flawed function logic. While functions that enforce upload restrictions based on this array are critical to the security mechanism, they are not inherently vulnerable themselves—their security depends on the configured values. No specific functions were identified as vulnerable with high confidence, as the root cause is the default allow-list content, not function implementation.
PHPPHPOngoing coverage of React2Shell