CVE-2025-70457

CRITICAL

Remyandrade Modern Image Gallery App - Unrestricted File Upload

Title source: rule

Description

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.

References (2)

[Exploit, Third Party Advisory] https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983

[Third Party Advisory] https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html

Scores

CVSS v3 9.8

EPSS 0.0029

EPSS Percentile 52.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

remyandrade/modern_image_gallery_app 1.0

Published Jan 23, 2026

Tracked Since Feb 18, 2026