CVE-2025-70146CRITICAL 9.1EPSS p35.8%

CVE-2025-70146CVE-2025-70146

Description

Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations (e.g.,adding records, deleting records) via direct HTTP requests to affected endpoints without a valid session.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS0.45% probability of exploitation · percentile 35.8% · 2026-06-19T12:03:05Z
Published2026-02-18
Last modified2026-02-20

Underlying weaknesses· 2

CWE-306CWE-862

References

  1. https://projectworlds.com/online-time-table-generator-php-mysql/
  2. https://youngkevinn.github.io/posts/CVE-2025-70146-OTTTG-Unauth-Deletion/

2

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-2660
CVE
CVE-2025-5003
CVE
CVE-2025-5004
CVE
CVE-2025-2661
CVE
CVE-2025-5008
CVE
CVE-2025-2659
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.