CVE-2025-10763 is a medium-severity vulnerability affecting the academico-sis academico software up to the commit d9a9e2636fbf7e5845ee086bcb03ca62faceb6ab. The vulnerability resides in the Profile Picture Handler component, specifically in the /edit-photo endpoint, which allows an attacker to perform unrestricted file uploads. This flaw enables remote attackers to upload arbitrary files without proper validation or restrictions. Since the vulnerability does not require user interaction or authentication (PR:L means low privileges required, UI:N means no user interaction), an attacker with limited privileges can exploit this remotely. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vendor uses a rolling release strategy but has not responded to the disclosure, and no patches or mitigations have been published yet. Although no known exploits are currently observed in the wild, the public disclosure increases the risk of exploitation. The unrestricted upload vulnerability could allow attackers to upload malicious files such as web shells or malware, potentially leading to remote code execution or further compromise of the affected system. Given the nature of the vulnerability and the lack of vendor response, organizations using academico-sis academico should consider this a significant risk until mitigations or patches are available.

For European organizations using academico-sis academico, this vulnerability poses a tangible risk of unauthorized system compromise. The ability to upload arbitrary files remotely can lead to server-side code execution, data breaches, or service disruption. Educational institutions or organizations relying on academico-sis for student information management could face data confidentiality violations, reputational damage, and operational interruptions. Since the vulnerability requires only low privileges and no user interaction, attackers could exploit it to escalate privileges or establish persistent access. The medium CVSS score reflects moderate impact, but the real-world consequences could be severe if exploited, especially in environments with sensitive personal data governed by GDPR. Additionally, the lack of vendor response and patch availability increases exposure time, necessitating immediate defensive actions by affected organizations.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Restrict access to the /edit-photo endpoint using network-level controls such as IP whitelisting or VPN-only access to limit exposure. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious file upload patterns or disallow dangerous file types (e.g., executable scripts). 3) Implement strict file type and content validation on the server side, if possible, to prevent uploading of executable or malicious files. 4) Monitor logs for unusual upload activity or attempts to access the vulnerable endpoint. 5) Isolate the affected component in a sandboxed environment to limit potential damage. 6) Regularly back up critical data and ensure incident response plans are updated to handle potential exploitation. 7) Engage with the academico-sis community or consider alternative software solutions if the vendor remains unresponsive. These targeted mitigations go beyond generic advice by focusing on access control, detection, and containment strategies specific to the unrestricted upload vulnerability.