CVE-2025-46191Code Injection in Client Database Management System

CWE-94Code Injection3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.6%
top 30.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Lerouxyxchire Client Database Management System
Timeline
PublishedMay 9

Description

Arbitrary File Upload in user_payment_update.php in SourceCodester Client Database Management System 1.0 allows unauthenticated users to upload arbitrary files via the uploaded_file_cancelled field. Due to the absence of proper file extension checks, MIME type validation, and authentication, attackers can upload executable PHP files to a web-accessible directory (/files/). This allows them to execute arbitrary commands remotely by accessing the uploaded script, resulting in full Remote Code Exec

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-hxm6-cc9v-9f63: Arbitrary File Upload in user_payment_update2025-05-09
CVEList
CVE-2025-46191: Arbitrary File Upload in user_payment_update2025-05-09
CVE-2025-46191 — Code Injection | cvebase