CRMEB CVE-2025-11288

Q: What is the CVSS score of CVE-2025-11288?

CVE-2025-11288 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-05 cna@vuldb.com

SQLi Crmeb

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:31 vuln.today

DescriptionCVE.org

A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing of the file /adminapi/product/product of the component GET Parameter Handler. Performing a manipulation of the argument cate_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in CRMEB up to version 5.6 allows authenticated remote attackers to manipulate the cate_id parameter in GET requests to the /adminapi/product/product endpoint, potentially leading to unauthorized data access or modification. The vulnerability requires valid login credentials and has limited technical impact according to CVSS 4.0 (integrity and availability scope unchanged), but publicly available exploit code exists and the vendor has not responded to disclosure.

Technical ContextAI

CRMEB is a PHP-based e-commerce and CRM platform. The vulnerability exists in the GET Parameter Handler of the /adminapi/product/product endpoint, where user-supplied input from the cate_id parameter is insufficiently sanitized before being used in SQL queries. This falls under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as Injection), which encompasses SQL injection attacks. The vulnerable endpoint processes product-related requests and accepts category ID parameters that are reflected into database queries without proper parameterized statement usage or input validation.

RemediationAI

Upgrade CRMEB to a patched version released after vulnerability disclosure (exact patched version number not provided in available data). Immediately implement prepared statements or parameterized queries for all database interactions involving the cate_id parameter in the /adminapi/product/product endpoint. As a temporary compensating control before patching, restrict network access to the /adminapi/ endpoint to trusted IP addresses and limit administrative user accounts to only those requiring product management functionality. Conduct an audit of database logs to identify any suspicious SQL queries or unauthorized data access within the cate_id parameter handling. If patching is delayed, consider disabling the /adminapi/product/product endpoint entirely until remediation is available. Note: No vendor-released patch version was confirmed in available advisories; vendor contact appears unresponsive per disclosure statement.

CVE-2025-11288 vulnerability details – vuln.today

Back