Volerion logoVolerion
Volerion logoVolerion

ProjectsAndPrograms School Management System File Upload Vulnerability Leading to Remote Code Execution

Vulnerability

A file upload vulnerability has been identified in the ProjectsAndPrograms School Management System, specifically in versions prior to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The issue resides in the Profile Picture Handler component, within the file /admin_panel/settings.php. This vulnerability allows authenticated users with Admin or Teacher roles to upload arbitrary files, which can be executed on the server, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, log in as an Admin or Teacher and navigate to the /admin_panel/settings.php page. Use the profile picture upload feature to intercept the request with Burp Suite. Modify the uploaded file to include a PHP payload and upload it. Once uploaded, access the file through the browser to execute the payload.

Added: Apr 3, 2026, 4:19 PM
Updated: Apr 3, 2026, 4:19 PM

Vulnerability Rating

Custom Algorithm
spread
0.8
impact
7.5
exploitability
8.0
remediation
0.0
relevance
4.9
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.