CVE-2025-10246
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in lokibhardwaj PHP-Code-For-Unlimited-File-Upload up to 124fe96324915490c81eaf7db3234b0b4e4bab3c. This affects an unknown part of the file /f.php. This manipulation of the argument h causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10246
EUVD
EUVD-2025-27628
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lokibhardwaj php-code-for-unlimited-file-upload *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in the PHP project "PHP-Code-For-Unlimited-File-Upload" by lokibhardwaj. It occurs in the file /f.php where the value of the POST parameter 'h' is directly output into a hidden input field without proper sanitization or encoding. This allows an attacker to inject malicious scripts that can be executed in the context of the victim's browser, leading to potential script-based attacks. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious scripts into the affected web application, which can then be executed in the browsers of users who visit the vulnerable page. This can lead to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites. Remote exploitation is possible but requires user interaction. The integrity of the system is impacted due to the injection of unauthorized scripts. [1, 2]

Detection Guidance

This vulnerability can be detected by identifying the presence of the vulnerable file `f.php` in the PHP-Code-For-Unlimited-File-Upload project and checking if it improperly handles the `h` parameter. One method to find potentially vulnerable targets is using Google dorking with the query `inurl:f.php`. Additionally, inspecting HTTP POST requests to `f.php` for the `h` parameter and analyzing the response for reflected or stored scripts can help detect exploitation attempts. Specific commands for detection are not provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include replacing the affected component with an alternative product, as no known countermeasures or patches have been published. Avoid using the vulnerable version up to commit `124fe96324915490c81eaf7db3234b0b4e4bab3c`. Additionally, implementing input sanitization and output encoding for the `h` parameter in `f.php` can prevent script injection. Since the vendor has not responded and no official fixes exist, removing or disabling the vulnerable functionality is recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart