CVE-2025-66802
Unknown Unknown - Not Provided
Remote Code Execution in Sourcecodester Covid-19 Contact Tracing System

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: MITRE

Description
Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66802
EUVD
EUVD-2026-1913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester covid-19_contact_tracing_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66802 is a critical Remote Code Execution (RCE) vulnerability in Sourcecodester Covid-19 Contact Tracing System version 1.0. It occurs because the application allows remote attackers to upload malicious PHP files disguised as user images without proper server-side validation. This enables attackers to execute arbitrary PHP code on the server remotely, gaining control over the system without needing any privileges or user interaction. [1, 2]

Impact Analysis

This vulnerability can lead to a full system compromise by allowing attackers to execute arbitrary code with the privileges of the web server process. Potential impacts include unauthorized data access, modification of application behavior, service disruption, and complete loss of confidentiality, integrity, and availability of the affected system. [1, 2]

Detection Guidance

Detection can focus on monitoring the file upload functionality for suspicious files, especially PHP files disguised as images. You can check the upload directories for unexpected PHP files or files with executable extensions. Commands to find such files on the server include: `find /path/to/upload/directory -type f \( -name "*.php" -o -name "*.php5" -o -name "*.phtml" \)` to locate potentially malicious uploaded files. Additionally, monitoring web server logs for unusual POST requests to the upload endpoint or reverse shell connection attempts can help detect exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include implementing strict server-side validation of uploaded files to restrict allowed file extensions and MIME types, ensuring that only safe file types (e.g., images without executable code) are accepted. Store uploaded files outside the web root to prevent direct execution. Disable execution permissions on upload directories to prevent execution of uploaded scripts. Apply any available vendor patches or updates promptly. Additionally, monitor and restrict access to the file upload functionality to trusted users if possible. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart