CVE-2025-9841
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in code-projects Mobile Shop Management System 1.0. This affects an unknown function of the file AddNewProduct.php. The manipulation of the argument ProductImage leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9841
EUVD
EUVD-2025-26471
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fabian mobile_shop_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Mobile Shop Management System 1.0, specifically in the AddNewProduct.php file. It allows an attacker to perform unrestricted file uploads by manipulating the ProductImage argument. Because the system does not properly validate or restrict the uploaded files, an attacker can upload malicious files such as web shells, which can then be executed on the server. This can be done remotely without authentication, making the attack straightforward and accessible. [1, 2]

Detection Guidance

This vulnerability can be detected by searching for the presence of the vulnerable endpoint AddNewProduct.php on your system or network, for example using Google Dorking with the query inurl:AddNewProduct.php. Additionally, monitoring for suspicious file uploads, especially files with executable extensions like .php in the upload directories (e.g., assets/img/Product_Uploaded/) can help detect exploitation attempts. Using tools like Burp Suite to intercept and analyze file upload requests can also reveal attempts to upload malicious files such as webshells. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting allowed file types strictly to safe image formats and excluding executable scripts; enforcing maximum file size limits; filtering special characters in filenames and renaming files randomly to prevent path traversal and overwriting; configuring the upload directory with non-executable permissions to block execution of uploaded files; and logging upload activities including file names, timestamps, and uploader IPs for monitoring and auditing. Since no vendor patch is currently available, replacing the affected software with an alternative product is recommended. [1, 2]

Impact Analysis

Exploitation of this vulnerability can lead to full server compromise, allowing attackers to execute arbitrary code remotely. This can result in data theft, tampering with content, service disruption, and breaches of privacy. The attacker can gain control over the server by uploading and executing malicious files such as web shells. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9841. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart