What is the CVSS score of CVE-2019-25458?

CVE-2019-25458 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Firma Rehberi are affected by CVE-2019-25458?

Web Ofisi Firma Rehberi v1 contains a critical SQL injection vulnerability (CVSS 9.8) that allows unauthenticated attackers to compromise the entire database without authentication.

Is there a public PoC exploit available for CVE-2019-25458?

Yes, a public proof-of-concept exploit is available for CVE-2019-25458. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2019-25458?

Within 24 hours: Identify all instances of Web Ofisi Firma Rehberi v1 in production and isolate them from internet-facing access; implement emergency WAF rules to block SQL injection patterns in GET parameters. Within 7 days: Conduct forensic analysis of access logs to detect prior exploitation; perform a full database audit for unauthorized access or data exfiltration. Within 30 days: Either migrate to a patched version when available, replace the application with an alternative solution, or decommission if business-critical functions can be absorbed elsewhere.

Firma Rehberi CVE-2019-25458

CRITICAL

SQL Injection (CWE-89)

2026-02-22 disclosure@vulncheck.com

SQLi Firma Rehberi

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Mar 02, 2026 - 15:16 vuln.today

Public exploit code

CVE Published

Feb 22, 2026 - 15:16 nvd

CRITICAL 9.8

DescriptionCVE.org

Web Ofisi Firma Rehberi v1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can send requests to with malicious payloads in the 'il', 'kat', or 'kelime' parameters to extract sensitive database information or perform time-based blind SQL injection attacks.

AnalysisAI

SQL injection in Web Ofisi Firma Rehberi v1. PoC available.

Technical ContextAI

CWE-89.

RemediationAI

Apply patch.

CVE-2019-25458 vulnerability details – vuln.today

Back

Firma Rehberi CVE-2019-25458

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code