Is there a public PoC exploit available for CVE-2025-15050?

Yes, a public proof-of-concept exploit is available for CVE-2025-15050. Prioritise patching immediately. EPSS: 0.1%.

Student File Management System CVE-2025-15050

Q: What is the CVSS score of CVE-2025-15050?

CVE-2025-15050 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Access Control (CWE-284)

2025-12-24 cna@vuldb.com

PHP Authentication Bypass File Upload Student File Management System

2.1

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 03:00 vuln.today

DescriptionNVD

A security vulnerability has been detected in code-projects Student File Management System 1.0. This affects an unknown part of the file /save_file.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Unauthenticated file upload vulnerability in code-projects Student File Management System 1.0 allows authenticated remote attackers to bypass file upload restrictions via manipulation of the File parameter in /save_file.php, despite the CVSS v4.0 score of 2.1 reflecting only low confidentiality, integrity, and availability impact with no scope change. The exploit is publicly available and the low EPSS score (0.09%, 25th percentile) suggests limited real-world exploitation attempts despite public disclosure.

Technical ContextAI

The vulnerability exists in the /save_file.php endpoint of a PHP-based student file management application and involves improper input validation or access control on the File parameter (CWE-284: Improper Access Control). The attack vector is network-accessible, requires authenticated access (PR:L per CVSS v4.0), and involves manipulation of file upload arguments to circumvent upload restrictions. The underlying technology is a PHP web application handling student file uploads without proper server-side validation of uploaded file types or destinations. CPE cpe:2.3:a:fabian:student_file_management_system:1.0:*:*:*:*:*:*:* identifies the affected product as authored by 'fabian' with version 1.0.

RemediationAI

Upgrade to a patched version if available from the vendor at https://code-projects.org/; however, no specific patched version number is confirmed in available data. As interim compensating controls, implement strict server-side file type validation based on file content (magic bytes) rather than file extension alone in the /save_file.php endpoint, restrict uploaded files to a non-executable directory outside the web root, apply a whitelist of allowed file types and extensions, enforce file size limits, and generate random filenames to prevent directory traversal attacks via the File parameter. Additionally, ensure authentication mechanisms are robust and audit all file uploads to detect suspicious patterns. Consider disabling the /save_file.php endpoint entirely if file upload functionality is not essential until a patch is applied.

CVE-2025-15050 vulnerability details – vuln.today

Back