Unrestricted Upload Vulnerability in Code-Projects Online Bidding System 1.0
CVE-2025-13574

5.1MEDIUM

Key Information:

Vendor

Code-projects

Status
Online Bidding System
Vendor
CVE Published:
24 November 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-13574?

A vulnerability has been discovered in Code-Projects' Online Bidding System version 1.0, specifically within the function categoryadd in the addcategory.php file. This flaw arises from inadequate validation of the catimage argument, leading to the potential for unauthorized file uploads. The vulnerability can be exploited remotely, allowing malicious actors to upload arbitrary files to the server. The exploit has been publicly disclosed, putting systems at risk of various attacks. Organizations utilizing this software should take immediate action to mitigate the exposure.

Affected Version(s)

Online Bidding System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13574 - Proof of Concept

References

https://vuldb.com/?id.333338
vdb-entrytechnical-description
https://vuldb.com/?ctiid.333338
signaturepermissions-required
https://vuldb.com/?submit.698717
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yohane-Mashiro (VulDB User)
JSON
.
CVE-2025-13574 : Unrestricted Upload Vulnerability in Code-Projects Online Bidding System 1.0