What is the CVSS score of CVE-2025-26199?

CVE-2025-26199 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.1%.

Which versions of PHP are affected by CVE-2025-26199?

CloudClassroom-PHP-Project v1.0 transmits login credentials over unencrypted HTTP, allowing attackers on shared networks to steal user passwords and gain unauthorized system access.

Is there a public PoC exploit available for CVE-2025-26199?

Yes, a public proof-of-concept exploit is available for CVE-2025-26199. Prioritise patching immediately. EPSS: 1.1%.

How to fix or mitigate CVE-2025-26199?

Within 24 hours: Immediately disable public internet access to CloudClassroom-PHP-Project and restrict to internal networks only; notify all users to change passwords from a secure channel. Within 7 days: Force HTTPS/TLS encryption by deploying a reverse proxy or load balancer in front of the application, implement network segmentation to isolate the application, and audit access logs for credential theft indicators. Within 30 days: Evaluate replacement or complete remediation of this application; if retained, implement mandatory multi-factor authentication and continuous monitoring for unauthorized administrative actions.

PHP CVE-2025-26199

EUVD-2025-18665 CRITICAL

Cleartext Transmission of Sensitive Information (CWE-319)

2025-06-18 cve@mitre.org

RCE PHP Information Disclosure Authentication Bypass Cloudclassroom Php Project

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 22:49 euvd

EUVD-2025-18665

Analysis Generated

Mar 14, 2026 - 22:49 vuln.today

PoC Detected

Jul 09, 2025 - 18:25 vuln.today

Public exploit code

CVE Published

Jun 18, 2025 - 20:15 nvd

CRITICAL 9.8

DescriptionCVE.org

CloudClassroom-PHP-Project v1.0 is affected by an insecure credential transmission vulnerability. The application transmits passwords over unencrypted HTTP during the login process, exposing sensitive credentials to potential interception by network-based attackers. A remote attacker with access to the same network (e.g., public Wi-Fi or compromised router) can capture login credentials via Man-in-the-Middle (MitM) techniques. If the attacker subsequently uses the credentials to log in and exploit administrative functions (e.g., file upload), this may lead to remote code execution depending on the environment.

AnalysisAI

A remote code execution vulnerability in CloudClassroom-PHP-Project v1.0 (CVSS 9.8). Risk factors: public PoC available.

Technical ContextAI

Vulnerability type: remote code execution. CVSS 9.8 indicates critical severity with likely remote exploitation vector. Affects CloudClassroom-PHP-Project v1.0.