CVE-2025-51567
CRITICAL
2026-01-12
[email protected]
9.1
CVSS 3.1
Share
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Lifecycle Timeline
3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 16, 2026 - 17:31 vuln.today
Public exploit code
CVE Published
Jan 12, 2026 - 20:15 nvd
CRITICAL 9.1
Tags
Description
A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a POST HTTP request.
Analysis
Kashipara Online Exam System V1.0 has SQL injection in profile.php through five POST parameters (rname, rcollage, rnumber, rgender, rpassword). PoC available.
Technical Context
Five parameters in profile.php are concatenated into SQL queries without parameterization (CWE-89).
Affected Products
Kashipara Online Exam System V1.0
Remediation
Use parameterized queries. This application needs a security audit before production use.
Priority Score
66
Low
Medium
High
Critical
KEV: 0
EPSS: +0.1
CVSS: +46
POC: +20
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).