Is there a public PoC exploit available for CVE-2025-12252?

Yes, a public proof-of-concept exploit is available for CVE-2025-12252. Prioritise patching immediately. EPSS: 0.0%.

Online Event Judging System CVE-2025-12252

Q: What is the CVSS score of CVE-2025-12252?

CVE-2025-12252 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-27 cna@vuldb.com

PHP SQLi Online Event Judging System

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:31 vuln.today

DescriptionCVE.org

A vulnerability was found in code-projects Online Event Judging System 1.0. Affected is an unknown function of the file /ajax/action.php. The manipulation of the argument content results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

AnalysisAI

SQL injection in code-projects Online Event Judging System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the content parameter in /ajax/action.php, resulting in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS scoring (0.03%) suggests minimal real-world exploitation despite public POC availability. The vulnerability requires prior authentication, significantly limiting practical attack surface.

Technical ContextAI

The vulnerability exists in a PHP-based web application at the /ajax/action.php endpoint, where user-supplied input from the 'content' parameter is improperly validated before being incorporated into SQL queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) manifestation, where user input reaches the database layer without parameterized queries or sufficient escaping. The affected product is the Online Event Judging System version 1.0 by carmelo, identified via CPE cpe:2.3:a:carmelo:online_event_judging_system:1.0:*:*:*:*:*:*:*. The CVSS 4.0 vector indicates network-accessible injection with low attack complexity, but authentication requirement (PR:L) and limited scope (S:X, confined impact) reduce the practical threat model.

RemediationAI

No vendor-released patch has been identified at time of analysis. Immediate remediation requires upgrading to a patched version if available from carmelo/code-projects, or implementing input validation on the content parameter with parameterized queries (prepared statements) in /ajax/action.php to neutralize SQL injection. If patched versions are unavailable, apply compensating controls: (1) enforce strict input validation using allowlist patterns for the content parameter (trade-off: may restrict legitimate use cases requiring special characters), (2) implement database-level access controls restricting the application's database user to SELECT, UPDATE, DELETE only on necessary tables with no CREATE/DROP permissions (trade-off: requires database architecture review), (3) enable Web Application Firewall (WAF) rules to detect and block common SQL injection payloads (trade-off: potential for false positives), and (4) restrict access to /ajax/action.php to authenticated users via network segmentation or authentication middleware (already required by CVSS, but enforce rigorously). Consult the exploit reference at https://github.com/xmqaq/cve/issues/10 and vulnerability details at https://vuldb.com/?id.329923 for exploitation specifics to inform testing.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-12252 vulnerability details – vuln.today

Back

Online Event Judging System CVE-2025-12252

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code