anonhaven
Ad

CVE-2019-25647

HIGH CVSS 4.0: 8.7 EPSS 0.22%
Updated Mar 25, 2026
PHP
Parameter Value
CVSS 8.7 (HIGH)
Type CWE-434 (Unrestricted File Upload)
Vendor PHP
Public PoC Yes

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can upload malicious PHP files through the image manager endpoint and execute them to establish reverse shell connections and execute system commands.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-434 Unrestricted File Upload

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Phreesoft Phreebookserp
cpe:2.3:a:phreesoft:phreebookserp:5.2.3:*:*:*:*:*:*:*

References 4

https://sourceforge.net/projects/phreebooks/
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46645
disclosure@vulncheck.com
https://www.phreesoft.com/
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/phreebooks-erp-remote-code-execution-via-i…
disclosure@vulncheck.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-5035

PHP

6.9

CVE-2026-5034

PHP

6.9

CVE-2026-5033

PHP

6.9

CVE-2026-5019

PHP

6.9

CVE-2026-5018

PHP

6.9