Skip to main content

Gemscms Backend CVE-2025-52025

CRITICAL
SQL Injection (CWE-89)
2026-01-23 cve@mitre.org
9.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 23, 2026 - 21:15 nvd
CRITICAL 9.4

DescriptionCVE.org

An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification.

AnalysisAI

Aptsys gemscms POS Platform has a SQL injection in the GetServiceByRestaurantID endpoint allowing extraction of restaurant and payment data.

Technical ContextAI

The GetServiceByRestaurantID endpoint in Aptsys gemscms has a CWE-89 SQL injection that allows unauthenticated attackers to inject arbitrary SQL commands through the restaurant ID parameter.

RemediationAI

Parameterize all SQL queries. Both CVEs must be addressed to secure the POS system.

Share

CVE-2025-52025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy