What is the CVSS score of CVE-2025-50348?

CVE-2025-50348 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.8%.

Which versions of PHP are affected by CVE-2025-50348?

A directory traversal vulnerability in the Pre-School Enrollment System allows attackers to access and modify unauthorized files on the server.

Is there a public PoC exploit available for CVE-2025-50348?

Yes, a public proof-of-concept exploit is available for CVE-2025-50348. Prioritise patching immediately. EPSS: 0.8%.

How to fix or mitigate CVE-2025-50348?

Within 24 hours: Disable or restrict access to the update-class-pic.php endpoint via firewall or WAF rules; audit logs for suspicious file access attempts. Within 7 days: Conduct a forensic review of uploaded files and system directories to detect unauthorized modifications; identify all systems running PHPGurukul v1.0 and isolate them if possible. Within 30 days: Migrate to an alternative enrollment system or await vendor patch; if no patch is released, implement strict input validation and path canonicalization controls on the affected endpoint.

PHP CVE-2025-50348

EUVD-2025-18923 HIGH

Path Traversal (CWE-22)

2025-06-23 cve@mitre.org

PHP Path Traversal Pre School Enrollment System

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 22:10 euvd

EUVD-2025-18923

Analysis Generated

Mar 15, 2026 - 22:10 vuln.today

PoC Detected

Jun 25, 2025 - 13:08 vuln.today

Public exploit code

CVE Published

Jun 23, 2025 - 19:15 nvd

HIGH 7.5

DescriptionCVE.org

PHPGurukul Pre-School Enrollment System Project V1.0 is vulnerable to Directory Traversal in update-class-pic.php.

AnalysisAI

CVE-2025-50348 is a Directory Traversal vulnerability in PHPGurukul Pre-School Enrollment System Project version 1.0, specifically in the update-class-pic.php file. An unauthenticated remote attacker can exploit this vulnerability to read sensitive files from the server, achieving high confidentiality impact without requiring user interaction or special privileges. The vulnerability has a CVSS score of 7.5 (High) with a network-based attack vector and low attack complexity, indicating it is easily exploitable by remote actors; however, exploitation is limited to information disclosure without modification capabilities.

Technical ContextAI

The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal'), a common input validation flaw in web applications. The vulnerable component update-class-pic.php likely processes file path parameters (such as image upload/update operations) without proper sanitization or validation. The application fails to implement adequate checks to prevent directory traversal sequences (e.g., '../../../etc/passwd') from being used in file path construction. This is typical in PHP web applications that handle file operations without using secure file handling functions or proper input normalization. The vulnerability affects the PHPGurukul project, which is a PHP-based educational enrollment management system commonly used in small institutions.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-50348 vulnerability details – vuln.today

Back

PHP CVE-2025-50348

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

More from same product – last 7 days

Share

External POC / Exploit Code