Cyber Resilience

CVE-2025-70457

CriticalPublic PoC

Published: 23 January 2026

Published
23 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0083 52.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70457 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Remyandrade Modern Image Gallery App. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-70457 is a Remote Code Execution (RCE) vulnerability in Sourcecodester Modern Image Gallery App v1.0, specifically within the gallery/upload.php component. The application fails to properly validate the contents of uploaded files and preserves the user-supplied file extension during the save process. This allows attackers to upload arbitrary PHP code by spoofing the MIME type to appear as an image file. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction. By uploading a malicious PHP file disguised with an image MIME type, the attacker achieves remote code execution on the server, potentially leading to full system compromise through arbitrary code execution.

Mitigation details are available in the GitHub Security Advisory GHSA-8xq6-hjhw-4983 at https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983. The application's source code can be reviewed or patched from https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This…

more

allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote code execution via unrestricted file upload to a public-facing web application, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3163Same vendor: Remyandrade
CVE-2025-1166Same vendor: Remyandrade
CVE-2025-12352Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2025-13067Shared CWE-434
CVE-2025-54449Shared CWE-434
CVE-2025-1070Shared CWE-434
CVE-2025-12528Shared CWE-434
CVE-2025-67325Shared CWE-434
CVE-2025-65471Shared CWE-434

Affected Assets

remyandrade
modern image gallery app
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded file contents and types to prevent acceptance of malicious PHP code spoofed as images.

prevent

Mandates identification, reporting, and correction of the specific flaw in upload.php enabling unrestricted file uploads with dangerous extensions.

preventdetect

Implements malicious code protection to scan and block uploaded PHP shells before execution or detect them during processing.

References