Is there a public PoC exploit available for CVE-2025-11481?

Yes, a public proof-of-concept exploit is available for CVE-2025-11481. Prioritise patching immediately. EPSS: 0.0%.

Blood Bank And Donation Management System CVE-2025-11481

Q: What is the CVSS score of CVE-2025-11481?

CVE-2025-11481 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-08 cna@vuldb.com

PHP SQLi Blood Bank And Donation Management System

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:03 vuln.today

DescriptionCVE.org

A flaw has been found in varunsardana004 Blood-Bank-And-Donation-Management-System up to dc9e0393d826fbc85fad9755b5bc12cba1919df2. The impacted element is an unknown function of the file /donate_blood.php. Executing manipulation of the argument fullname can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.

AnalysisAI

SQL injection in Blood Bank And Donation Management System allows authenticated remote attackers to manipulate the fullname parameter in /donate_blood.php, potentially leading to unauthorized data access or modification. The vulnerability affects all versions up to commit dc9e0393d826fbc85fad9755b5bc12cba1919df2, with publicly available exploit code and a low EPSS score of 0.03% despite CVSS 2.1, indicating exploitation is unlikely in practice due to authentication requirements and limited technical impact.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-74) in a PHP-based blood bank management application. The affected endpoint /donate_blood.php fails to properly sanitize or parameterize the fullname input parameter before incorporating it into SQL queries. The underlying technology stack appears to be PHP with a relational database backend (likely MySQL or similar). The CPE designation cpe:2.3:a:varunsardana004:blood_bank_and_donation_management_system:*:*:*:*:*:*:*:* indicates this is an open-source or community project with no formal versioning scheme. The project uses a rolling release model via Git commits rather than discrete version releases, complicating patch tracking and deployment validation.

RemediationAI

No vendor-released patch identified at time of analysis due to the rolling release model and lack of official version numbering. Immediate remediation requires code review and patching of the /donate_blood.php endpoint to implement prepared statements or parameterized queries for all user-supplied input, particularly the fullname parameter. If the project is maintained on GitHub, pull requests or commits addressing this vulnerability should be monitored and pulled into production deployments. As a compensating control pending code fixes, implement Web Application Firewall (WAF) rules to block common SQL injection payloads (-- comments, UNION keywords, etc.) targeting the /donate_blood.php endpoint; this mitigates risk but reduces functionality if legitimate fullname entries contain SQL metacharacters. Additionally, restrict network access to the application to authorized internal networks only if this is an internal healthcare tool, reducing the AV:N attack vector to AV:L in practice. Enforce principle of least privilege for database accounts used by the application, limiting query scope to only required tables. Audit all user input validation and output encoding across the entire application, as a single SQLi vulnerability suggests potential similar issues elsewhere.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-11481 vulnerability details – vuln.today

Back

Blood Bank And Donation Management System CVE-2025-11481

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code