Skip to main content

E-Commerce Website CVE-2025-11024

| EUVDEUVD-2025-209838 CRITICAL
SQL Injection (CWE-89)
2026-05-14 TR-CERT GHSA-6g4r-8638-677q
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 14, 2026 - 11:01 EUVD
Analysis Generated
May 14, 2026 - 10:15 vuln.today
CVE Published
May 14, 2026 - 09:21 nvd
CRITICAL 9.8

DescriptionCVE.org

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection.

This issue affects E-Commerce Website: before 4.5.001.

AnalysisAI

Remote unauthenticated SQL injection in Akilli Commerce Software Technologies E-Commerce Website before version 4.5.001 allows complete database compromise without authentication. The vulnerability permits blind SQL injection attacks with network-level access and low complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), achieving full confidentiality, integrity, and availability impact (9.8 critical severity). TR-CERT (Turkish national CERT) published this advisory, indicating regional significance for Turkish e-commerce deployments. No public exploit identified at time of analysis, with EPSS risk data and CISA KEV status unavailable for initial assessment.

Technical ContextAI

This vulnerability stems from CWE-89 (SQL Injection), where the application fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. The affected system is Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website (CPE: cpe:2.3:a:akilli_commerce_software_technologies_ltd._co.:e-commerce_website), a Turkish e-commerce platform. Blind SQL injection differs from traditional SQLi by not directly displaying query results but allowing attackers to infer database contents through time-based delays, boolean logic responses, or error behaviors. With network-accessible vectors (AV:N) and no authentication requirements (PR:N), any remote attacker can directly query externally-facing application endpoints. The low attack complexity (AC:L) suggests exploitation requires no specialized conditions like race conditions or complex timing, making it reliably exploitable with standard SQLi tools like sqlmap or manual payloads.

RemediationAI

Upgrade immediately to E-Commerce Website version 4.5.001 or later, which addresses the SQL injection vulnerability according to version-based scope in the CVE disclosure. Obtain the patched version from Akilli Commerce Software Technologies Ltd. Co. through official channels and consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222 for additional vendor guidance. If immediate patching is not feasible, implement emergency compensating controls: deploy a web application firewall (WAF) with SQL injection signature detection and blocking rules (consider that blind SQLi may evade basic filters - enable query inspection and time-delay anomaly detection); restrict application database user privileges to minimum required operations only, removing DROP, CREATE, and administrative privileges to limit post-exploitation impact (note: attackers can still exfiltrate data accessible to the application user); enable database query logging and monitor for suspicious patterns like WAITFOR DELAY, BENCHMARK(), or boolean tautologies (this creates performance overhead and does not prevent exploitation, only aids detection). Network segmentation to isolate database servers from direct internet access provides defense-in-depth but does not mitigate application-layer exploitation. All compensating controls are partial risk reduction only - version upgrade to 4.5.001 is the definitive remediation.

CVE-2021-25207 CRITICAL POC
9.8 Jul 23

Arbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary cod

CVE-2021-25205 CRITICAL POC
9.8 Jul 22

SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL

CVE-2024-8217 MEDIUM POC
6.9 Aug 27

A vulnerability has been found in SourceCodester E-Commerce Website 1.0 and classified as critical. Rated medium severit

CVE-2026-2347 CRITICAL
9.8 May 14

Authorization bypass in Akilli Commerce E-Commerce Website before 4.5.001 allows remote unauthenticated attackers to hij

CVE-2025-6577 CRITICAL
9.8 May 12

SQL injection in Akilli Commerce E-Commerce Website versions before 4.5.001 allows remote unauthenticated attackers to e

CVE-2025-11513 MEDIUM POC
5.5 Oct 09

A vulnerability was determined in code-projects E-Commerce Website 1.0. This affects an unknown part of the file /pages/

CVE-2025-11596 MEDIUM POC
5.5 Oct 11

A vulnerability was determined in code-projects E-Commerce Website 1.0. The affected element is an unknown function of t

CVE-2025-11558 MEDIUM POC
5.5 Oct 09

A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/us

CVE-2025-11420 MEDIUM POC
5.5 Oct 08

A vulnerability was detected in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages

CVE-2022-27330 MEDIUM POC
5.4 May 03

A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows atta

CVE-2021-25204 MEDIUM POC
5.4 Jul 23

Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject ar

CVE-2024-8139 MEDIUM POC
5.3 Aug 25

A vulnerability has been found in itsourcecode E-Commerce Website 1.0 and classified as critical. Rated medium severity

Share

CVE-2025-11024 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy