CVE-2025-70457
Published: 23 January 2026
Summary
CVE-2025-70457 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Remyandrade Modern Image Gallery App. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of uploaded file contents and types to prevent acceptance of malicious PHP code spoofed as images.
Mandates identification, reporting, and correction of the specific flaw in upload.php enabling unrestricted file uploads with dangerous extensions.
Implements malicious code protection to scan and block uploaded PHP shells before execution or detect them during processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via unrestricted file upload to a public-facing web application, directly mapping to Exploit Public-Facing Application (T1190).
NVD Description
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This…
more
allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.
Deeper analysisAI
CVE-2025-70457 is a Remote Code Execution (RCE) vulnerability in Sourcecodester Modern Image Gallery App v1.0, specifically within the gallery/upload.php component. The application fails to properly validate the contents of uploaded files and preserves the user-supplied file extension during the save process. This allows attackers to upload arbitrary PHP code by spoofing the MIME type to appear as an image file. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction. By uploading a malicious PHP file disguised with an image MIME type, the attacker achieves remote code execution on the server, potentially leading to full system compromise through arbitrary code execution.
Mitigation details are available in the GitHub Security Advisory GHSA-8xq6-hjhw-4983 at https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983. The application's source code can be reviewed or patched from https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html.
Details
- CWE(s)