Unrestricted File Upload Vulnerability in DouPHP by Douke Network Technology Co., Ltd.
CVE-2025-13198

5.1MEDIUM

Key Information:

Vendor

Douke Network Technology Co., Ltd.

Status
DouPHP
Vendor
CVE Published:
15 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13198?

An exploitation vulnerability has been identified in DouPHP versions up to 1.8 Release 20251022, specifically in the file upload functionality located in file.include/file.class.php. This vulnerability allows attackers to manipulate upload parameters, resulting in the ability to perform unrestricted file uploads. The exploit has been made public, raising the risk of potential remote exploitation. Organizations using affected versions should apply necessary patches to mitigate this security threat.

Affected Version(s)

DouPHP 1.8 Release 20251022

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13198 - Proof of Concept

References

https://vuldb.com/?id.332496
vdb-entrytechnical-description
https://vuldb.com/?ctiid.332496
signaturepermissions-required
https://vuldb.com/?submit.685544
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

electroN1c (VulDB User)
JSON
.
CVE-2025-13198 : Unrestricted File Upload Vulnerability in DouPHP by Douke Network Technology Co., Ltd.