Vulnerability Details CVE-2025-70151
code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 43.2%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2025-70151
-
cpe:2.3:a:fabian:scholars_tracking_system:1.0