Description
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter.
Published: 2026-04-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data theft and loss, exposing database and allowing deletion of all images
Action: Patch Now
AI Analysis

Impact

CF Image Hosting Script 1.6.5 contains a flaw that allows any user on the Internet to download the application's SQLite database file (imgdb.db) from the upload/data directory without authentication. The database can then be decoded to reveal delete identifiers stored in plain text. With these identifiers, an attacker can invoke the delete handler via the d parameter and remove every picture stored by the application, effectively causing a denial of service and loss of user content.

Affected Systems

The vulnerability affects the CF Image Hosting Script developed by Davidtavarez, version 1.6.5. No further version details are supplied by the CNA, but the CPE indicates only this specific release is impacted.

Risk and Exploitability

The flaw scores a 9.3 on CVSS, indicating high severity. EPSS data is not available and the issue is not listed in CISA's KEV catalog. The likely attack vector is remote unauthenticated HTTP access to a publicly readable file, so any web user can exploit it without credentials or special conditions.

Generated by OpenCVE AI on April 12, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor's website for a patch or newer version of the CF Image Hosting Script and apply it immediately.

Generated by OpenCVE AI on April 12, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Codefuture
Codefuture image Hosting Script
CPEs cpe:2.3:a:codefuture:image_hosting_script:1.6.5:*:*:*:*:*:*:*
Vendors & Products Codefuture
Codefuture image Hosting Script

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 12 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter.
Title CF Image Hosting Script 1.6.5 Unauthorized Database Access
First Time appeared Scripteen
Scripteen free Image Hosting Script
Weaknesses CWE-552
CPEs cpe:2.3:a:scripteen:free_image_hosting_script:1.6.5:*:*:*:*:*:*:*
Vendors & Products Scripteen
Scripteen free Image Hosting Script
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Codefuture Image Hosting Script
Scripteen Free Image Hosting Script
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-15T15:24:31.713Z

Reserved: 2026-04-12T12:14:33.041Z

Link: CVE-2019-25709

cve-icon Vulnrichment

Updated: 2026-04-15T15:24:27.764Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T13:16:33.950

Modified: 2026-04-23T20:22:37.493

Link: CVE-2019-25709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:55:48Z

Weaknesses