Description
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.
Published: 2026-04-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted upload of user-supplied files may allow attackers to store and potentially execute malicious code on the web server
Action: Apply Patch
AI Analysis

Impact

An arbitrary file upload vulnerability exists in the profile picture upload feature of Phpgurukul Online Course Registration version 3.1, accessible through the /my-profile.php page. The flaw allows a user to upload any file type without restriction, creating a risk that malicious files can be stored on the server. If the application or server later processes the uploaded file in a way that permits execution, the attacker could inject code, compromise the application, or tamper with stored data.

Affected Systems

The vulnerability affects installations of Phpgurukul Online Course Registration version 3.1. Users who have deployed this version should assess whether the application is reachable via the public internet or internal networks and consider whether any access controls are in place for the profile picture upload area.

Risk and Exploitability

The flaw is remotely exploitable through the web interface; an attacker only needs the ability to submit a file via the upload form on /my-profile.php. The CVSS score is 8.8, indicating high severity, while the EPSS score remains below 1% and the vulnerability is not listed in KEV. The nature of unrestricted file upload indicates that the vulnerability could enable severe impacts if the uploaded content is executed or processed improperly. Until an official patch is released, systems running the vulnerable application remain at risk.

Generated by OpenCVE AI on April 16, 2026 at 02:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether Phpgurukul has released a patch or upgrade for version 3.1 and apply it immediately.
  • If a patch is not available, limit accepted file types by validating MIME type and file extension to approved image formats.
  • Store uploaded files outside the web document root or configure server permissions so that uploaded files cannot be executed directly.
  • Rename uploaded files to avoid name collisions and prevent executable code inclusion.
  • Consider deploying a Web Application Firewall or similar security monitoring to detect and block suspicious file uploads.

Generated by OpenCVE AI on April 16, 2026 at 02:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Unrestricted File Upload in Phpgurukul Online Course Registration

Wed, 15 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Title Unrestricted File Upload in Profile Picture Upload of Online Course Registration v3.1
Weaknesses CWE-434

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unrestricted File Upload in Profile Picture Upload of Online Course Registration v3.1
Weaknesses CWE-434

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Phpgurukul
Phpgurukul online Course Registration
Vendors & Products Phpgurukul
Phpgurukul online Course Registration

Mon, 13 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.
References

Subscriptions

Phpgurukul Online Course Registration
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T17:42:00.712Z

Reserved: 2025-06-16T00:00:00.000Z

Link: CVE-2025-51414

cve-icon Vulnrichment

Updated: 2026-04-15T15:33:03.102Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T21:16:23.610

Modified: 2026-04-17T15:33:34.050

Link: CVE-2025-51414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses