Description

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

INFO

Published Date :

2026-05-08T00:00:00.000Z

Last Modified :

2026-05-08T05:52:25.556Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67886 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67886.

URL Resource
http://seclists.org/fulldisclosure/2025/Dec/21 cve-icon
https://dev.1c-bitrix.ru/api_help/translate/index.php cve-icon cve-icon
https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055 cve-icon cve-icon
https://karmainsecurity.com/pocs/CVE-2025-67886.php cve-icon cve-icon
https://seclists.org/fulldisclosure/2025/Dec/21 cve-icon cve-icon
https://www.bitrix24.com/self-hosted/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System