Cyber Resilience

CVE-2025-70151

HighPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0059 43.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-70151 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Fabian Scholars Tracking System. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2025-70151 is an unrestricted file upload vulnerability in code-projects Scholars Tracking System 1.0 that enables remote code execution. The affected endpoints, update_profile_picture.php and upload_picture.php, store user-uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without any validation of file type or extension. This allows attackers to upload malicious PHP files, which can then be directly accessed and executed from /uploads/ as the web server user. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By uploading a PHP webshell or script via the profile picture upload functions and subsequently requesting it from the /uploads/ directory, the attacker achieves arbitrary code execution with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), running in the context of the web server process.

References for further details include the project source code page at https://code-projects.org/scholars-tracking-system-in-php-with-source-code/ and a technical write-up at https://youngkevinn.github.io/posts/CVE-2025-70151-Scholars-FileUpload-RCE/. The CVE description does not specify patches or vendor-provided mitigations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file…

more

type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in a public-facing web application (T1190) enables authenticated attackers to upload and execute PHP web shells directly from the web-accessible directory (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70152Same product: Fabian Scholars Tracking System
CVE-2024-57668Same vendor: Fabian
CVE-2025-69565Same vendor: Fabian
CVE-2026-1423Same vendor: Fabian
CVE-2025-7190Same vendor: Fabian
CVE-2026-2213Same vendor: Fabian
CVE-2026-2133Same vendor: Fabian
CVE-2025-0335Same vendor: Fabian
CVE-2026-0577Same vendor: Fabian
CVE-2025-7210Same vendor: Fabian

Affected Assets

fabian
scholars tracking system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of uploaded files at the endpoints to reject dangerous types and extensions like PHP, directly preventing unrestricted file uploads leading to RCE.

prevent

Enforces restrictions on file uploads such as allowed MIME types, extensions, sizes, and filenames to block malicious PHP files from being stored.

preventdetect

Deploys malicious code scanning at web application entry points to identify and block PHP webshells during upload.

References