CVE-2019-25709
Published: 12 April 2026
Summary
CVE-2019-25709 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Codefuture Image Hosting Script. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthenticated access and download of the sensitive imgdb.db file containing plaintext delete IDs.
Defines and controls publicly accessible content to exclude sensitive database files like imgdb.db from external exposure.
Monitors and controls external boundary communications to block unauthorized direct access to the upload/data directory and imgdb.db file.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated external access to sensitive database file via exposed directory (T1044: File System Permissions Weakness) in a public-facing web application (T1190: Exploit Public-Facing Application), facilitating data extraction and unauthorized deletions.
NVD Description
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to…
more
delete all pictures via the d parameter.
Deeper analysisAI
CVE-2019-25709 is a critical vulnerability in CF Image Hosting Script version 1.6.5, classified under CWE-552 (Files or Directories Accessible to External Parties). It enables unauthenticated attackers to directly access and download the imgdb.db file from the upload/data directory, which contains the application's deserialized database. This exposure allows attackers to decode the database and extract delete IDs stored in plaintext.
Unauthenticated remote attackers can exploit this vulnerability with low complexity, requiring no privileges or user interaction. By downloading the imgdb.db file, decoding it, and using the extracted plaintext delete IDs via the "d" parameter, attackers can delete all pictures hosted by the application. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Advisories and related resources, including VulnCheck (https://www.vulncheck.com/advisories/cf-image-hosting-script-unauthorized-database-access) and an Exploit-DB entry (https://www.exploit-db.com/exploits/46094), detail the issue and potential mitigations. Additional references include a CodeFuture forum thread (http://forum.codefuture.co.uk/showthread.php?tid=73141) and https://davidtavarez.github.io/. The CVE was published on 2026-04-12T13:16:33.950.
Details
- CWE(s)