How to fix CVE-2025-50348?

Within 24 hours: Disable or restrict access to the update-class-pic.php endpoint via firewall or WAF rules; audit logs for suspicious file access attempts. Within 7 days: Conduct a forensic review of uploaded files and system directories to detect unauthorized modifications; identify all systems running PHPGurukul v1.0 and isolate them if possible. Within 30 days: Migrate to an alternative enrollment system or await vendor patch; if no patch is released, implement strict input validation and path canonicalization controls on the affected endpoint.

Is PHP affected by CVE-2025-50348?

A directory traversal vulnerability in the Pre-School Enrollment System allows attackers to access and modify unauthorized files on the server.

CVE-2025-50348

EUVD-2025-18923 HIGH

2025-06-23 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 22:10 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 22:10 euvd

EUVD-2025-18923

PoC Detected

Jun 25, 2025 - 13:08 vuln.today

Public exploit code

CVE Published

Jun 23, 2025 - 19:15 nvd

HIGH 7.5

Description

PHPGurukul Pre-School Enrollment System Project V1.0 is vulnerable to Directory Traversal in update-class-pic.php.

Analysis

CVE-2025-50348 is a Directory Traversal vulnerability in PHPGurukul Pre-School Enrollment System Project version 1.0, specifically in the update-class-pic.php file. An unauthenticated remote attacker can exploit this vulnerability to read sensitive files from the server, achieving high confidentiality impact without requiring user interaction or special privileges. The vulnerability has a CVSS score of 7.5 (High) with a network-based attack vector and low attack complexity, indicating it is easily exploitable by remote actors; however, exploitation is limited to information disclosure without modification capabilities.

Technical Context

The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal'), a common input validation flaw in web applications. The vulnerable component update-class-pic.php likely processes file path parameters (such as image upload/update operations) without proper sanitization or validation. The application fails to implement adequate checks to prevent directory traversal sequences (e.g., '../../../etc/passwd') from being used in file path construction. This is typical in PHP web applications that handle file operations without using secure file handling functions or proper input normalization. The vulnerability affects the PHPGurukul project, which is a PHP-based educational enrollment management system commonly used in small institutions.

Affected Products

- product: PHPGurukul Pre-School Enrollment System Project; vendor: PHPGurukul; version: 1.0; affected_component: update-class-pic.php; vulnerability_type: Directory Traversal; notes: The vulnerability exists in version 1.0; patch status for subsequent versions unknown without vendor advisory reference

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.8

CVSS: +38

POC: +20

CVE-2025-50348 vulnerability details – vuln.today

Back

CVE-2025-50348

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-50348

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code