What is the CVSS score of CVE-2025-46109?

CVE-2025-46109 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Pbootcms are affected by CVE-2025-46109?

A high-severity SQL injection vulnerability in pbootCMS versions 3.2.5 and 3.2.10 allows attackers to extract sensitive database information through malicious web requests.

Is there a public PoC exploit available for CVE-2025-46109?

Yes, a public proof-of-concept exploit is available for CVE-2025-46109. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-46109?

Within 24 hours: Identify all systems running pbootCMS 3.2.5 or 3.2.10 and isolate them from internet access or place them behind a WAF with SQL injection rules enabled. Within 7 days: Evaluate and deploy vendor patches when available, or migrate to an unaffected version if patches remain unavailable. Within 30 days: Complete migration of all affected instances and conduct forensic review of database access logs for signs of exploitation.

Pbootcms CVE-2025-46109

EUVD-2025-28029 HIGH

SQL Injection (CWE-89)

2025-06-18 cve@mitre.org

SQLi Pbootcms

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 22:49 euvd

EUVD-2025-28029

Analysis Generated

Mar 14, 2026 - 22:49 vuln.today

PoC Detected

Jun 26, 2025 - 15:51 vuln.today

Public exploit code

CVE Published

Jun 18, 2025 - 15:15 nvd

HIGH 8.8

DescriptionCVE.org

SQL Injection vulnerability in pbootCMS v.3.2.5 and v.3.2.10 allows a remote attacker to obtain sensitive information via a crafted GET request

AnalysisAI

SQL Injection vulnerability in pbootCMS versions 3.2.5 and 3.2.10 that allows unauthenticated remote attackers to execute arbitrary SQL queries via crafted GET requests, potentially leading to unauthorized data disclosure, modification, or system compromise. With a CVSS score of 8.8 and network-accessible attack vector requiring only user interaction, this represents a critical threat to publicly exposed pbootCMS installations. The vulnerability's high impact on confidentiality, integrity, and availability suggests potential for large-scale exploitation if proof-of-concept code becomes available.

Technical ContextAI

SQL Injection (CWE-89) represents a fundamental input validation failure where untrusted user input is concatenated into SQL query construction without proper parameterization or prepared statement usage. In pbootCMS, the vulnerability likely exists in GET request parameter handling where query strings are passed directly to database operations. pbootCMS (CPE: cpe:2.3:a:pbootcms:pbootcms) is a PHP-based content management system; the affected versions 3.2.5 and 3.2.10 indicate the vulnerability spans multiple recent releases, suggesting either a shared code path or incomplete patching between versions. The GET-based attack vector indicates the injection point is exposed through standard HTTP query parameters, making exploitation trivial from a technical complexity perspective and requiring no special authentication or privileges.