Is there a public PoC exploit available for CVE-2025-14641?

Yes, a public proof-of-concept exploit is available for CVE-2025-14641. Prioritise patching immediately. EPSS: 0.1%.

Computer Laboratory System CVE-2025-14641

Q: What is the CVSS score of CVE-2025-14641?

CVE-2025-14641 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Access Control (CWE-284)

2025-12-14 cna@vuldb.com

PHP Authentication Bypass File Upload Computer Laboratory System

2.0

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:46 vuln.today

DescriptionNVD

A flaw has been found in code-projects Computer Laboratory System 1.0. This issue affects some unknown processing of the file admin/admin_pic.php. This manipulation of the argument image causes unrestricted upload. The attack may be initiated remotely. The exploit has been published and may be used.

AnalysisAI

Unrestricted file upload in Computer Laboratory System 1.0 via the admin_pic.php image parameter allows high-privilege authenticated users to upload arbitrary files remotely, with publicly available proof-of-concept code demonstrating exploitation. Despite the CVSS 2.0 score reflecting the high authentication barrier (PR:H), the vulnerability enables attackers with admin credentials to bypass upload restrictions and potentially establish persistence or execute malicious code on the server.

Technical ContextAI

Computer Laboratory System 1.0, a web-based educational management application, contains an unrestricted file upload vulnerability in the admin/admin_pic.php endpoint. The vulnerability stems from insufficient validation of the 'image' parameter, allowing users to upload files without proper type or extension checking. CWE-284 (Improper Access Control) indicates that the application fails to properly restrict or validate file uploads based on content type, extension, or file magic bytes. The affected component (admin_pic.php) is designed for administrator profile picture uploads but lacks server-side validation, permitting bypass of client-side or weak server-side controls. This is a classic PHP web application vulnerability where file upload handlers do not validate the MIME type, file extension, or file content before storage.

RemediationAI

Apply a vendor-released patch or upgrade to a patched version if available from the Computer Laboratory System vendor; contact Carmelo or code-projects.org for security updates. In the absence of an official patch, implement server-side file upload validation on the admin_pic.php endpoint: verify MIME types using server-side inspection (not client-side), restrict file extensions to whitelisted image types (e.g., .jpg, .png, .gif), validate file magic bytes to confirm actual image content, and store uploaded files outside the web root or in a directory with disabled script execution (configure web server to deny PHP execution in the upload directory). Additionally, restrict access to admin_pic.php to authenticated high-privilege users via proper access control checks, implement request signing or CSRF tokens to prevent unauthorized uploads, and monitor the upload directory for suspicious file activity. The trade-off of these controls is slightly increased server overhead and potential issues if legitimate users upload unusual image formats, but these are acceptable given the security benefit.

CVE-2025-14641 vulnerability details – vuln.today

Back