Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Feb 18, 2026

CVE-2025-70151

Description

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user.

Affected products

code-projects/Scholars Tracking Systemdescription
Code Projects/Community Project Scholars Tracking Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

code-projects.org/scholars-tracking-system-in-php-with-source-code/mitre
youngkevinn.github.io/posts/CVE-2025-70151-Scholars-FileUpload-RCE/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000