CRITICAL🇵🇱 Wersja polska

CVE-2025-69992

CVSS 9.8v3.1pub. 2026-01-13upd. 2026-01-16

phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication.

🤖 AI Analysis
How it works

The upload.php endpoint does not require authentication nor verify the format or extension of the uploaded file. An attacker can send an HTTP request to upload.php without logging in with an attached file of any format, including executable scripts (e.g., PHP webshell). After uploading the file to the server, the attacker can access its URL path and remotely execute the code contained within it in the context of the web server.

Impact

An attacker can gain full control over the server by executing arbitrary code (RCE), leading to violations of confidentiality, integrity, and availability of the system — including data theft, modification of portal content, or complete server takeover.

Mitigation & patch

Apply patches available from the vendor according to references. Temporarily, it is recommended to: disable or secure the upload.php endpoint with an authentication mechanism, implement a whitelist of allowed file extensions, configure the web server to not execute scripts in directories designated for file uploads.

Who is affected

Phpgurukul News Portal Project version V4.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Phpgurukul News Portal

    APP
    Phpgurukul
    4.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-69991CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Phpgurukul News Portal V4.1 (check_availablity.php)

CVE-2025-69990CRITICAL9.1PL ✓ten sam produkt

Arbitrary File Deletion w Phpgurukul News Portal V4.1 (remove_file.php)

CVE-2025-4874MEDIUM6.9ten sam produkt

A vulnerability was found in PHPGurukul News Portal Project 4.1 and classified as critical. Affected by this i...

CVE-2025-4873MEDIUM6.9ten sam produkt

A vulnerability has been found in PHPGurukul News Portal 4.1 and classified as critical. Affected by this vuln...

CVE-2025-4880MEDIUM6.9ten sam produkt

A vulnerability has been found in PHPGurukul News Portal 4.1 and classified as critical. Affected by this vuln...