Is there a public PoC exploit available for CVE-2025-11357?

Yes, a public proof-of-concept exploit is available for CVE-2025-11357. Prioritise patching immediately. EPSS: 0.0%.

Simple Banking System CVE-2025-11357

Q: What is the CVSS score of CVE-2025-11357?

CVE-2025-11357 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-07 cna@vuldb.com

PHP SQLi Simple Banking System

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:01 vuln.today

DescriptionCVE.org

A security flaw has been discovered in code-projects Simple Banking System 1.0. This issue affects some unknown processing of the file /createuser.php. Performing manipulation of the argument Name results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited.

AnalysisAI

SQL injection in Simple Banking System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /createuser.php and execute arbitrary SQL queries, resulting in limited impact to confidentiality, integrity, and availability. The vulnerability has a low CVSS score of 2.1 due to requirement for prior authentication (PR:L) and limited scope of impact, but publicly available exploit code exists and the EPSS score of 0.03% suggests minimal real-world exploitation probability despite public POC availability.

Technical ContextAI

The vulnerability exists in PHP-based web application code where user input from the Name parameter in /createuser.php is improperly validated before being incorporated into SQL queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) issue stemming from inadequate input sanitization or parameterized query implementation. The flaw allows SQL injection (SQLi) attacks through unsanitized concatenation of user-supplied data directly into SQL commands. The affected product is code-astro's Simple Banking System version 1.0, as identified by CPE cpe:2.3:a:codeastro:simple_banking_system:1.0:*:*:*:*:*:*:*.

RemediationAI

Immediate action should focus on input validation and parameterized queries: upgrade or patch Simple Banking System if a patched version is available from code-astro, or implement immediate compensating controls by validating the Name parameter against a strict whitelist (alphanumeric and allowed special characters only) before it reaches database logic, and refactor the /createuser.php file to use prepared statements with parameterized queries instead of string concatenation for all SQL operations. If immediate patching is not possible, implement database-level restrictions by creating a dedicated low-privilege database user for the application with only INSERT and SELECT permissions on necessary tables, preventing unauthorized data modification or exfiltration. Additionally, enforce strict authentication controls and restrict access to /createuser.php to authorized administrators only via IP whitelisting or role-based access controls. Monitor database activity for suspicious SQL patterns in query logs. Verify fixes with vendor documentation at https://code-projects.org/ and test patches in non-production environments before deployment. The trade-off of database privilege restriction is reduced application functionality if the system requires broader operations, requiring careful review of legitimate application needs.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-11357 vulnerability details – vuln.today

Back

Simple Banking System CVE-2025-11357

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code