What is the CVSS score of CVE-2025-46179?

CVE-2025-46179 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-46179?

A critical SQL injection vulnerability (CVSS 9.8) exists in CloudClassroom-PHP v1.0 that allows unauthenticated attackers to extract, modify, or delete sensitive data from the application database.

Is there a public PoC exploit available for CVE-2025-46179?

Yes, a public proof-of-concept exploit is available for CVE-2025-46179. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-46179?

Within 24 hours: Immediately isolate affected CloudClassroom-PHP instances from production or restrict network access to authorized users only; audit database access logs for suspicious activity. Within 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the squeryx parameter; conduct forensic review of database logs for evidence of exploitation. Within 30 days: Upgrade to a patched version once available; if no patch emerges, evaluate replacement of CloudClassroom-PHP with a maintained alternative; perform comprehensive security assessment and database integrity validation.

PHP CVE-2025-46179

EUVD-2025-18756 CRITICAL

SQL Injection (CWE-89)

2025-06-20 cve@mitre.org

PHP SQLi Cloudclassroom Php Project

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18756

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Jun 26, 2025 - 14:48 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 15:15 nvd

CRITICAL 9.8

DescriptionCVE.org

A SQL Injection vulnerability was discovered in the askquery.php file of CloudClassroom-PHP Project v1.0. The squeryx parameter accepts unsanitized input, which is passed directly into backend SQL queries.

AnalysisAI

CVE-2025-46179 is a critical SQL injection vulnerability in CloudClassroom-PHP Project v1.0's askquery.php file, where the 'squeryx' parameter is passed directly into SQL queries without sanitization. This affects all installations of CloudClassroom-PHP v1.0 and allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially leading to complete database compromise including data exfiltration, modification, and denial of service. The vulnerability has a CVSS 9.8 score reflecting its network-based exploitability with no authentication or user interaction required; active exploitation status and POC availability are unknown from the provided data.

Technical ContextAI

The vulnerability exists in CloudClassroom-PHP Project v1.0, a web-based classroom management system written in PHP. The root cause is classified as CWE-89 (SQL Injection), a classic input validation flaw where user-supplied data from the 'squeryx' parameter is concatenated directly into SQL query strings without parameterized queries, prepared statements, or input validation. This occurs in the askquery.php file, suggesting the vulnerability is in a query/question handling endpoint. The affected technology stack includes PHP as the server-side language and likely MySQL/MariaDB as the database backend. The lack of prepared statement usage or input sanitization functions (such as mysqli_real_escape_string or, preferably, parameterized queries with bound parameters) allows attackers to inject arbitrary SQL syntax.

RemediationAI

Immediate actions: (1) Disable or restrict network access to askquery.php and related query endpoints until patching is complete; (2) Implement Web Application Firewall (WAF) rules to detect/block SQL injection attempts (keywords: UNION, SELECT, OR 1=1, DROP, EXEC, etc.); (3) Monitor database logs for suspicious query patterns. Proper fixes: (1) Refactor askquery.php to use prepared statements with parameterized queries in PHP (mysqli_prepare/execute or PDO prepared statements) for all database interactions involving the 'squeryx' parameter; (2) Implement input validation and type-checking for the 'squeryx' parameter before any database operation; (3) Apply principle of least privilege—database user account running queries should have minimal permissions (SELECT-only if possible); (4) Check for available patches from CloudClassroom-PHP project repository (likely GitHub); if none available, consider migrating to maintained alternative. No specific patch version is provided, so contact the vendor or check the project's issue tracker.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-46179 vulnerability details – vuln.today

Back

PHP CVE-2025-46179

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code