Submit #718481: EyouCMS 1.7.7 Deserializationinfo

TitleEyouCMS 1.7.7 Deserialization
DescriptionEyouCMS ≤1.7.7 contains a PHP Object Injection vulnerability in the arcpagelist functionality. The application uses native unserialize() function on data from the ey_arcmulti database table without class restriction. Combined with ThinkPHP 5.0.24 gadget chains, this can lead to Remote Code Execution or arbitrary file deletion. Exploitation requires the ability to write to the database through SQL injection or other means.
Source⚠️ https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh
User
 pemic (UID 93604)
Submission12/18/2025 08:34 (6 months ago)
Moderation12/30/2025 19:46 (12 days later)
StatusAccepted
VulDB entry339083 [EyouCMS up to 1.7.7 arcpagelist Ajax.php unserialize attstr deserialization]
Points20

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!