CVE-2019-25709

CriticalPublic PoC

Published: 12 April 2026

Published

12 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0038 59.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to…

delete all pictures via the d parameter.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent unauthenticated access and download of the sensitive imgdb.db file containing plaintext delete IDs.

AC-22 Publicly Accessible Content good match

prevent

Defines and controls publicly accessible content to exclude sensitive database files like imgdb.db from external exposure.

SC-7 Boundary Protection good match

prevent

Monitors and controls external boundary communications to block unauthorized direct access to the upload/data directory and imgdb.db file.

Security SummaryAI

CVE-2019-25709 is a critical vulnerability in CF Image Hosting Script version 1.6.5, classified under CWE-552 (Files or Directories Accessible to External Parties). It enables unauthenticated attackers to directly access and download the imgdb.db file from the upload/data directory, which contains the application's deserialized database. This exposure allows attackers to decode the database and extract delete IDs stored in plaintext.

Unauthenticated remote attackers can exploit this vulnerability with low complexity, requiring no privileges or user interaction. By downloading the imgdb.db file, decoding it, and using the extracted plaintext delete IDs via the "d" parameter, attackers can delete all pictures hosted by the application. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Advisories and related resources, including VulnCheck (https://www.vulncheck.com/advisories/cf-image-hosting-script-unauthorized-database-access) and an Exploit-DB entry (https://www.exploit-db.com/exploits/46094), detail the issue and potential mitigations. Additional references include a CodeFuture forum thread (http://forum.codefuture.co.uk/showthread.php?tid=73141) and https://davidtavarez.github.io/. The CVE was published on 2026-04-12T13:16:33.950.

Details

CWE(s): CWE-552

Affected Products

codefuture

image hosting script

1.6.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1574.010 Services File Permissions Weakness Stealth

Adversaries may execute their own malicious payloads by hijacking the binaries used by services.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthenticated external access to sensitive database file via exposed directory (T1044: File System Permissions Weakness) in a public-facing web application (T1190: Exploit Public-Facing Application), facilitating data extraction and unauthorized deletions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://forum.codefuture.co.uk/showthread.php?tid=73141
Broken Link · disclosure@vulncheck.com
https://davidtavarez.github.io/
Third Party Advisory · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46094
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/cf-image-hosting-script-unauthorized-database-access
Third Party Advisory · disclosure@vulncheck.com