This page lists publicly disclosed CVE vulnerabilities affecting fabian scholars_tracking_system (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-70152 | code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in the admin user management endpoints /admin/save_user.php and /admin/update_user.php. These endpoints lack authentication checks and directly concatenate user-supplied POST parameters (firstname, lastname, username, password, user_id) into SQL queries without validation or parameterization. | [email protected] | 9.8 | 0.40% | 2026-02-18 | 2026-06-17 |
| CVE-2025-70151 | code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints update_profile_picture.php and upload_picture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied filename without validating the file type or extension. By uploading a PHP file and then requesting it from /uploads/, an attacker can execute arbitrary PHP code as the web server user. | [email protected] | 8.8 | 0.59% | 2026-02-18 | 2026-06-17 |
| CVE-2025-14951 | A security vulnerability has been detected in code-projects Scholars Tracking System 1.0. The impacted element is an unknown function of the file /home.php. Such manipulation of the argument post_content leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | [email protected] | 5.5 | 0.33% | 2025-12-19 | 2026-06-17 |
| CVE-2025-14950 | A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | [email protected] | 5.5 | 0.33% | 2025-12-19 | 2026-06-17 |
| CVE-2025-14940 | A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /admin/delete_user.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | [email protected] | 5.5 | 0.33% | 2025-12-18 | 2026-06-17 |
| CVE-2024-24098 | Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection via the News Feed. | [email protected] | 7.8 | 0.42% | 2024-03-05 | 2026-06-17 |