Cross-Site Scripting Vulnerability in lokibhardwaj PHP-Code-For-Unlimited-File-Upload
CVE-2025-10246

5.1MEDIUM

Key Information:

Vendor

Lokibhardwaj

Status
PHP-code-for-unlimited-file-upload
Vendor
CVE Published:
11 September 2025

What is CVE-2025-10246?

A vulnerability has been identified in the lokibhardwaj PHP-Code-For-Unlimited-File-Upload which allows for cross-site scripting (XSS) through the manipulation of the argument 'h' in the file /f.php. This weakness opens the door for remote attackers to execute arbitrary scripts in the context of users’ browsers, potentially exposing sensitive information or hijacking user sessions. The exploit has been made public, highlighting the urgency of addressing this issue, especially since the vendor has not responded to initial disclosures regarding the vulnerability. Organizations using this product should take proactive steps to mitigate the risks associated with this XSS vulnerability.

Affected Version(s)

PHP-Code-For-Unlimited-File-Upload 124fe96324915490c81eaf7db3234b0b4e4bab3c

References

https://vuldb.com/?id.323546
vdb-entrytechnical-description
https://vuldb.com/?ctiid.323546
signaturepermissions-required
https://vuldb.com/?submit.642206
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

dev03303 (VulDB User)
.
CVE-2025-10246 : Cross-Site Scripting Vulnerability in lokibhardwaj PHP-Code-For-Unlimited-File-Upload