CVE-2019-25709

CRITICAL 9.8

CF Image Hosting Script 1.6.5 Unauthorized Database Access

CVSS Score

9.8

EPSS Score

0.1%

EPSS Percentile

18th

CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter.

CWE	CWE-552
Vendor	davidtavarez
Product	cf image hosting script
Published	Apr 12, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for davidtavarez cf image hosting script

Be the first to know when new critical vulnerabilities affecting davidtavarez cf image hosting script are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Davidtavarez / CF Image Hosting Script

1.6.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/46094 davidtavarez.github.io: https://davidtavarez.github.io/ forum.codefuture.co.uk: http://forum.codefuture.co.uk/showthread.php?tid=73141 vulncheck.com: https://www.vulncheck.com/advisories/cf-image-hosting-script-unauthorized-database-access

Credits

David Tavarez