CVE-2025-51414
Published: 13 April 2026
Summary
CVE-2025-51414 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-51414 is an arbitrary file upload vulnerability in Phpgurukul Online Course Registration version 3.1, specifically affecting the profile picture upload functionality on the /my-profile.php page. This flaw, associated with CWE-94 (code injection), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts over the network with low complexity and only low privileges required.
The vulnerability can be exploited by authenticated users with low privileges, such as registered participants, who can upload arbitrary files disguised as profile pictures via the affected endpoint. Successful exploitation allows attackers to upload malicious files, potentially leading to remote code execution, server compromise, or other high-impact actions as reflected in the CVSS impact metrics.
Mitigation details and further technical analysis are available in advisories referenced at https://github.com/12T40910/CVE/issues/12 and https://medium.com/@tanushkushtk01/cve-2025-51414-unrestricted-file-upload-in-online-course-registration-v3-1-bd8b839be1d7, published alongside the CVE disclosure on 2026-04-13.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209427
Vulnerability details
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing web app directly enables exploitation (T1190), tool/file ingress (T1105), and web shell deployment for RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of profile picture uploads to ensure only legitimate image files are accepted, directly preventing arbitrary file uploads leading to code injection.
Implements malicious code protection mechanisms such as antivirus scanning on uploaded files to block or detect webshells and other exploits disguised as profile pictures.
Mandates timely identification, reporting, and patching of the specific flaw in /my-profile.php upload handler to remediate the arbitrary file upload vulnerability.