Is there a public PoC exploit available for CVE-2025-11551?

Yes, a public proof-of-concept exploit is available for CVE-2025-11551. Prioritise patching immediately. EPSS: 0.0%.

Student Result Manager CVE-2025-11551

Q: What is the CVSS score of CVE-2025-11551?

CVE-2025-11551 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-09 cna@vuldb.com

SQLi Student Result Manager

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:30 vuln.today

DescriptionCVE.org

A vulnerability was determined in code-projects Student Result Manager 1.0. This affects an unknown function of the file src/students/Database.java. This manipulation of the argument roll/name/gpa causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

SQL injection in code-projects Student Result Manager 1.0 allows authenticated remote attackers to manipulate roll, name, or GPA parameters in Database.java, resulting in limited confidentiality, integrity, and availability impact. The vulnerability requires valid login credentials and has been publicly disclosed with exploit code available, but carries very low exploitation probability (EPSS 0.03%) and minimal security impact due to restricted scope.

Technical ContextAI

The vulnerability exists in src/students/Database.java where user-supplied input for roll number, student name, or GPA fields is concatenated directly into SQL queries without parameterized statements or input sanitization. This classic SQL injection (CWE-74: Improper Neutralization of Special Elements used in an Output) allows an authenticated user to inject arbitrary SQL syntax. The affected product is a student result management system built in Java using direct database connectivity without prepared statement protection.

RemediationAI

No vendor-released patch has been identified at time of analysis. The primary mitigation is to upgrade to a patched version if available from the vendor, or migrate to a supported student management system. Immediate compensating controls include: implementing prepared statements and parameterized queries in Database.java to prevent SQL injection, restricting network access to the application to trusted internal networks only (limit PR:L scope by reducing PR to effectively nil for untrusted users), enforcing strong authentication with MFA on student management accounts, and applying input validation whitelisting for roll numbers (numeric-only), names (alphanumeric + spaces), and GPA values (numeric with decimal constraints). Database-level mitigations include creating a dedicated read-only database user for the application with minimal required permissions and disabling dynamic SQL execution capabilities where possible.

CVE-2025-11551 vulnerability details – vuln.today

Back