CVE-2008-6178

Exp

Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as used in Falt4 CMS, Nuke ET, and other products, allows remote attackers to execute arbitrary code by creating a file with PHP sequences preceded by a ZIP header, uploading this file via a FileUpload action with the application/zip content type, and then accessing this file via a direct request to the file in UserFiles/File/, probably a related issue to CVE-2005-4094. NOTE: some of these details are obtained from third party information.

Published: 2009-02-19 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-6178 is rated High Exploit Risk (79.1/100): CVSS High severity, with high exploitation likelihood (EPSS 10.87%, 93th percentile). 3 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.40% over the last day, indicating growing attacker interest. Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-6178

EDB-ID Source Kind Published Link
8060 exploit_db edb 2009-02-16 Exploit-DB ↗
6783 exploit_db edb 2008-10-18 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-6178

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-04-11 9.47% 10.87% +1.40%
2 2026-02-19 9.25% 9.47% +0.22%
3 2026-01-02 9.25%

Full EPSS history (12 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-6178

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2008-6178

OS Trackers for CVE-2008-6178

vendor priority summary link
ubuntu medium CVE-2008-6178 medium priority: Ubuntu including 1 source packages (fckeditor), 7 status rows across 7 suites (dapper, gutsy, hardy, intrepid, jaunty, karmic, upstream): ignored 5, DNE 2. https://ubuntu.com/security/CVE-2008-6178

Affected software / configurations for CVE-2008-6178

Vendor Product Version Raw CPE
fckeditor fckeditor 2.0rc2 cpe:2.3:a:fckeditor:fckeditor:2.0rc2:*:*:*:*:*:*:*
fckeditor fckeditor 2.0rc3 cpe:2.3:a:fckeditor:fckeditor:2.0rc3:*:*:*:*:*:*:*
fckeditor fckeditor 2.2 cpe:2.3:a:fckeditor:fckeditor:2.2:*:*:*:*:*:*:*
fckeditor fckeditor 2.3beta cpe:2.3:a:fckeditor:fckeditor:2.3beta:*:*:*:*:*:*:*
fckeditor fckeditor 2.4.3 cpe:2.3:a:fckeditor:fckeditor:2.4.3:*:*:*:*:*:*:*
phplist phplist 2.10.1 cpe:2.3:a:phplist:phplist:2.10.1:*:*:*:*:*:*:*
phplist phplist 2.10.2 cpe:2.3:a:phplist:phplist:2.10.2:*:*:*:*:*:*:*
phplist phplist 2.10.3 cpe:2.3:a:phplist:phplist:2.10.3:*:*:*:*:*:*:*
phplist phplist 2.10.4 cpe:2.3:a:phplist:phplist:2.10.4:*:*:*:*:*:*:*
phplist phplist 2.10.5 cpe:2.3:a:phplist:phplist:2.10.5:*:*:*:*:*:*:*
phplist phplist 2.10.6 cpe:2.3:a:phplist:phplist:2.10.6:*:*:*:*:*:*:*

References for CVE-2008-6178

cvelogic Threat Intelligence