Skip to main content

SeaCMS CVE-2025-15003

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-12-22 cna@vuldb.com
PHP SQLi Seacms
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:49 vuln.today

DescriptionCVE.org

A vulnerability was found in SeaCMS up to 13.3. The impacted element is an unknown function of the file admin_video.php. Performing a manipulation of the argument e_id results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

AnalysisAI

SQL injection in SeaCMS up to version 13.3 via the e_id parameter in admin_video.php allows authenticated high-privilege attackers to execute arbitrary SQL queries and manipulate database content. The vulnerability requires administrative credentials, limiting real-world impact despite public exploit availability. EPSS score of 0.05% reflects the high privilege requirement needed for exploitation.

Technical ContextAI

SeaCMS is a content management system written in PHP. The vulnerability exists in the admin_video.php file, where the e_id parameter is not properly sanitized before being used in SQL queries. This is a classic case of improper input validation (CWE-74: Improper Neutralization of Special Elements in Output) leading to SQL injection. The vulnerability chain involves user-supplied input reaching SQL query construction without parameterized queries or adequate escaping. The CPE indicates all versions up to and including 13.3 are affected.

RemediationAI

Upgrade SeaCMS to a version newer than 13.3 if one is available from the vendor. If no patched version exists, implement the following compensating controls: (1) Restrict access to admin_video.php to specific IP addresses or require VPN-based access to admin panels, reducing the pool of potential privileged users who can be compromised; (2) disable the video management feature entirely if it is not essential to operations; (3) implement database query logging and alerting to detect anomalous SQL patterns executed by admin accounts; (4) enforce strong, unique admin credentials and rotate them regularly; (5) apply principle of least privilege by granting video admin permissions only to trusted personnel who require them. No public vendor patch URL or fix version has been confirmed from available references.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-15003 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy