CVE-2025-69990

CriticalPublic PoC

Published: 13 January 2026

Published

13 January 2026

Modified

16 January 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0012 31.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient validation of the 'file' parameter in remove_file.php by requiring input validation mechanisms to reject arbitrary file paths.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for file system access, preventing unauthenticated arbitrary file deletions through the vulnerable endpoint.

AC-6 Least Privilege partial match

prevent

Applies least privilege to the web application process, limiting the scope of deletable files and mitigating damage from arbitrary deletion attempts.

Security SummaryAI

CVE-2025-69990 is an arbitrary file deletion vulnerability in the phpgurukul News Portal Project version 4.1. The flaw exists in the remove_file.php component, where the 'file' parameter is insufficiently validated, enabling attackers to specify and delete any file on the server. This issue, published on 2026-01-13, carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-552 (Files or Directories Accessible to External Parties).

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Unauthenticated exploitation allows deletion of arbitrary files, leading to high impacts on integrity (I:H) and availability (A:H), with no confidentiality impact (C:N). This could result in service disruption, data loss, or compromise of the hosting environment by targeting critical system files.

Mitigation details are available in the referenced advisory at https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20deletion%20vulnerability.md.

Details

CWE(s): CWE-552

Affected Products

phpgurukul

news portal

4.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Directly enables exploitation of public-facing web application (T1190) for arbitrary file deletion (T1070.004), facilitating data destruction (T1485) via service disruption and data loss.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20deletion%20vulnerability.md
Exploit, Third Party Advisory · cve@mitre.org