CVE-2025-70146 is a critical security vulnerability identified in ProjectWorlds Online Time Table Generator version 1.0. The core issue stems from missing authentication mechanisms in multiple administrative action scripts located under the /admin/ directory. These scripts allow remote attackers to bypass authentication entirely and perform unauthorized administrative operations such as adding or deleting timetable records by sending crafted HTTP requests directly to the affected endpoints. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization). The CVSS v3.1 base score is 9.1, reflecting a critical severity due to the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), but high integrity (I:H) and availability (A:H) impacts. This means attackers can fully compromise the integrity and availability of the timetable data without needing any credentials or user interaction. The vulnerability was published on February 18, 2026, with no patches or known exploits reported at the time of disclosure. The lack of authentication on administrative endpoints is a fundamental security flaw that can lead to unauthorized data manipulation and potential denial of service, severely impacting the reliability and trustworthiness of the affected system.

For European organizations, especially educational institutions or entities relying on ProjectWorlds Online Time Table Generator or similar scheduling software, this vulnerability poses a significant risk. Unauthorized administrative access can lead to manipulation or deletion of critical scheduling data, causing operational disruptions, loss of data integrity, and potential denial of service. Such disruptions could affect academic scheduling, resource allocation, and overall organizational efficiency. The absence of confidentiality impact reduces the risk of sensitive data leakage, but the high integrity and availability impacts mean attackers can cause significant operational damage. Additionally, if exploited, attackers could undermine trust in the affected systems, potentially leading to reputational damage. Given the critical nature of the vulnerability and the ease of exploitation, European organizations must prioritize mitigation to prevent unauthorized administrative control and maintain service continuity.

To mitigate CVE-2025-70146, organizations should immediately restrict access to the /admin/ directory using network-level controls such as IP whitelisting or VPN access to limit administrative interface exposure. Implement robust authentication and authorization mechanisms on all administrative endpoints to ensure only authorized users can perform critical operations. Conduct a thorough code review and update the application to enforce session validation and authentication checks on all administrative scripts. Deploy web application firewalls (WAFs) with rules to detect and block unauthorized access attempts targeting the /admin/ paths. Monitor logs for unusual administrative activity and implement alerting for suspicious requests. If possible, isolate the timetable generator system from public networks or place it behind secure gateways. Engage with the software vendor or community to obtain patches or updates addressing the vulnerability. Finally, educate administrators and users about the risks and ensure secure operational practices are followed.