CVE-2025-70151

Published: Feb 18, 2026

Modified: Feb 18, 2026

PUBLISHED

Description

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://code-projects.org/scholars-tracking-system-in-php-with-source-code/

https://youngkevinn.github.io/posts/CVE-2025-70151-Scholars-FileUpload-RCE/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-70151

Description

Affected Products

References