Which versions of PHP are affected by CVE-2019-25536?

An unauthenticated SQL injection vulnerability in Netartmedia PHP Real Estate Agency 4.0 allows attackers to extract, modify, or delete sensitive database content without credentials.

Is there a public PoC exploit available for CVE-2019-25536?

Yes, a public proof-of-concept exploit is available for CVE-2019-25536. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2019-25536?

Within 24 hours: Identify all instances of Netartmedia PHP Real Estate Agency 4.0 in production and take inventory. Within 7 days: Implement WAF rules to block malicious input to the features[] parameter, isolate affected systems from the internet if possible, and enable database activity monitoring. Within 30 days: Migrate to an alternative real estate management platform or contact the vendor for available workarounds, as no patch is currently available.

PHP CVE-2019-25536

Q: What is the CVSS score of CVE-2019-25536?

CVE-2019-25536 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

SQL Injection (CWE-89)

2026-03-12 disclosure@vulncheck.com

PHP SQLi

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 07, 2026 - 01:17 vuln.today

Public exploit code

Analysis Generated

Mar 12, 2026 - 19:57 vuln.today

CVE Published

Mar 12, 2026 - 16:16 nvd

HIGH 8.8

DescriptionNVD

Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. Attackers can send POST requests to index.php with crafted SQL payloads in the features[] parameter to extract sensitive database information or manipulate database queries.

AnalysisAI

Technical ContextAI

Classified as CWE-89 (SQL Injection). Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. Attackers can send POST requests to index.php with crafted SQL payloads in the features[] parameter to extract sensitive database information or manipulate database queries.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

CVE-2019-25536 vulnerability details – vuln.today

Back

PHP CVE-2019-25536

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

PHP CVE-2019-25536

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code