CVE-2025-70457

CRITICAL

Sourcecodester Modern Image Gallery App 1.0 - Unauthenticated Remote Code Execution via File Upload

Title source: llm

Description

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983

Third Party Advisory

https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html

Scores

CVSS v3 9.8

EPSS 0.0083

EPSS Percentile 52.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

remyandrade/modern_image_gallery_app 1.0

Published Jan 23, 2026

Tracked Since Feb 18, 2026