CVE-2025-12268

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions LearnHouse versions prior to 98dfad76aad70711a8113f6c1fdabfccf10509ca

Description A flaw exists in LearnHouse that allows for unrestricted file upload. The issue is located within the Course Thumbnail Handler component, specifically affecting an unknown function associated with the /api/v1/courses/ endpoint. The thumbnail parameter is susceptible to manipulation, enabling remote attackers to upload files without restrictions. The exploit details have been publicly disclosed.

Recommendations Versions prior to 98dfad76aad70711a8113f6c1fdabfccf10509ca should be updated. As a temporary workaround, restrict access to the /api/v1/courses/ endpoint. Avoid using the thumbnail parameter until the issue is resolved.

Exploit

Fix

Improper Access Control

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-434

Related Identifiers

CVE-2025-12268

Affected Products

Learnhouse

CVE-2025-12268

Weakness Enumeration

Related Identifiers

Affected Products

References · 9