FastAdmin
CVE-2025-14966
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in FastAdmin up to 1.7.0.20250506. Affected is the function selectpage of the file application/common/controller/Backend.php of the component Backend Controller. Executing a manipulation of the argument custom/searchField can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
SQL injection in FastAdmin up to version 1.7.0.20250506 allows high-privilege authenticated attackers to execute arbitrary SQL queries via manipulation of the custom/searchField parameter in the selectpage function of the Backend Controller. The vulnerability requires administrator-level privileges and has publicly available exploit code, though the low CVSS score (2.0) and minimal EPSS exploitation probability (0.06%) indicate limited real-world risk despite active disclosure.
Technical ContextAI
FastAdmin is a PHP-based admin management framework. The vulnerability exists in the Backend Controller component (application/common/controller/Backend.php), specifically in the selectpage function which handles search field parameters. The custom/searchField argument is processed without proper input sanitization or parameterized query usage, allowing SQL injection via CWE-74 (Improper Neutralization of Special Elements used in an Output). The attack vector is network-accessible but requires high-privilege administrator authentication, significantly limiting exploitability in typical deployments.
RemediationAI
Upgrade FastAdmin to a version released after 1.7.0.20250506 that addresses SQL injection in the selectpage function; vendors typically release patched versions within days of public disclosure. If immediate upgrade is not feasible, restrict administrative access to trusted personnel only and audit recent administrator actions in the selectpage/custom search functionality for signs of exploitation (malformed searchField parameters, unusual SQL statements in logs). Implement Web Application Firewall (WAF) rules to block requests containing SQL metacharacters (single quotes, semicolons, UNION keywords) in the custom/searchField parameter; this introduces minimal false-positive risk since legitimate search fields should not contain SQL syntax. Code-level mitigation: ensure all database queries in the selectpage function use parameterized prepared statements rather than string concatenation. Verify that input validation is implemented for the searchField parameter to enforce whitelist-based field name validation (e.g., only allow field names matching [a-zA-Z0-9_]).
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today