← back
CVE-2019-25709

CF Image Hosting Script 1.6.5 Unauthorized Database Access

CVSS 9.3 CRITICALEPSS 0.6%CWE-552
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 0.6%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
12 Apr 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Davidtavarez · CF Image Hosting Script
public PoCs found1
cve_referencewww.exploit-db.com/exploits/46094unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://forum.codefuture.co.uk/showthread.php?tid=73141https://davidtavarez.github.io/https://www.exploit-db.com/exploits/46094https://www.vulncheck.com/advisories/cf-image-hosting-script-unauthorized-database-access