{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-57148", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T14:07:56.817Z", "dateReserved": "2025-08-17T00:00:00.000Z", "datePublished": "2025-09-03T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:07:56.817Z"}, "descriptions": [{"lang": "en", "value": "phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-12496/7fdf159633a77d1"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57148.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-434", "lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-03T17:28:45.895840Z", "id": "CVE-2025-57148", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T17:31:06.772Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-57148", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-03T17:28:45.895840Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T17:30:02.362Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-12496/7fdf159633a77d1"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57148.md"}], "descriptions": [{"lang": "en", "value": "phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:07:56.817Z"}}}, "cveMetadata": {"cveId": "CVE-2025-57148", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:07:56.817Z", "dateReserved": "2025-08-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-09-03T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:online_shopping_portal:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6E358155-68C0-4C86-8359-49F37445DC44", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation."}], "id": "CVE-2025-57148", "lastModified": "2026-04-06T15:17:06.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-03T15:15:38.717", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://doc.clickup.com/3897127/p/h/3pxt7-12496/7fdf159633a77d1"}, {"source": "cve@mitre.org", "url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57148.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T00:23:58.986054+00:00", "value": {"mitigation_remediation": ["Check for an official vendor update or hotfix that fixes the upload validation issue and deploy it without delay.", "Implement strict server\u2011side file type validation by enforcing a whitelist of allowed extensions (e.g., .jpg, .png, .pdf) and verify MIME types before accepting uploads.", "Store uploaded files in a directory that has no execute permissions, rename files to random names, and configure the web server to prevent execution of uploaded content."], "summary": {"action": "Immediate Mitigation", "impact": "Remote code execution via arbitrary file upload"}, "threat_synthesis": {"affected_systems": "The vulnerability affects phpgurukul Online Shopping Portal version 2.0. The admin product insertion page located at /admin/insert-product.php is the specific point of exploitation.", "description_and_impact": "The vulnerability in phpgurukul Online Shopping Portal 2.0 allows arbitrary files to be uploaded to the /admin/insert-product.php endpoint due to missing extension validation. This flaw is classed as CWE-434 and can enable an attacker to upload malicious scripts or other executable files, potentially leading to remote code execution, data theft, or further compromise of the web application.", "risk_and_exploitability": "The CVSS score of 9.1 reflects a high severity risk of remote code execution. The EPSS score of < 1% indicates that, at the time of this analysis, the probability of exploitation observed in the wild is low, but the flaw remains critical. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a web\u2011based POST request to the upload endpoint, typically requiring authenticated admin access or a side\u2011channel that bypasses authentication. Exploitation would involve crafting a request with a malicious file extension that the system does not filter, thereby allowing the attacker to place a payload that the server will execute."}}}}, "created": "2025-09-03T19:30:15.664397+00:00", "updated": "2026-04-28T00:30:15.461350+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$online_shopping_portal"]}