How to fix CVE-2025-70151?

Within 24 hours: Assess whether your organization uses Scholars Tracking System version 1.0 or earlier, and if so, restrict network access to this application. Within 7 days: Implement web application firewall (WAF) rules to block file uploads, disable the upload functionality if business-critical operations allow, and increase monitoring for suspicious file upload attempts. Within 30 days: Plan migration to a patched version once released, or replace the system with an alternative solution if vendor remediation timelines are uncertain.

Is PHP affected by CVE-2025-70151?

CVE-2025-70151 affects the Scholars Tracking System, allowing attackers to upload malicious files that could compromise system integrity and enable data breaches or lateral movement within the organization.

CVE-2025-70151

HIGH

2026-02-18 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 23, 2026 - 17:53 vuln.today

Public exploit code

CVE Published

Feb 18, 2026 - 18:24 nvd

HIGH 8.8

Description

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user.

Analysis

Scholars Tracking System versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

Technical Context

This vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) exists in the unrestricted file upload. The component. code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user.

Affected Products

Vendor: Fabian. Product: Scholars Tracking System. Versions: up to 1.0. Component: unrestricted file upload. The.

Remediation

Monitor vendor advisories for a patch. Validate file types by content. Store uploads outside web root. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +44

POC: +20

CVE-2025-70151 vulnerability details – vuln.today

Back

CVE-2025-70151

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-70151

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code