What is the CVSS score of CVE-2025-5580?

CVE-2025-5580 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-5580?

A critical SQL injection vulnerability in CodeAstro Real Estate Management System 1.0 allows unauthenticated remote attackers to compromise the application's database.

Is there a public PoC exploit available for CVE-2025-5580?

Yes, a public proof-of-concept exploit is available for CVE-2025-5580. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-5580?

Within 24 hours: Immediately disable the affected Real Estate Management System or restrict network access to authorized personnel only; isolate the system from production networks if possible; notify all users of the service disruption. Within 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection attempts on /login.php; deploy input validation at the application layer; conduct forensic analysis to determine if the system has been compromised. Within 30 days: Evaluate alternative vendor solutions or request an emergency security update from CodeAstro; if remaining on current version, establish continuous monitoring and incident response procedures; migrate to a patched version as soon as available.

PHP CVE-2025-5580

EUVD-2025-16861 HIGH

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-04 cna@vuldb.com

PHP SQLi Real Estate Management System

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16861

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

PoC Detected

Jun 04, 2025 - 17:43 vuln.today

Public exploit code

CVE Published

Jun 04, 2025 - 09:15 nvd

HIGH 7.3

DescriptionNVD

A vulnerability was found in CodeAstro Real Estate Management System 1.0. It has been classified as critical. This affects an unknown part of the file /login.php. The manipulation of the argument email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Critical SQL injection vulnerability in CodeAstro Real Estate Management System version 1.0, affecting the /login.php file's email parameter. An unauthenticated remote attacker can inject malicious SQL commands through the email input field to read, modify, or delete database records, potentially leading to unauthorized access, data exfiltration, and system compromise. The vulnerability has been publicly disclosed with proof-of-concept code available, creating significant real-world exploitation risk.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) in the login authentication mechanism. The /login.php endpoint fails to properly sanitize or parameterize user input in the email parameter before incorporating it into SQL database queries. Rather than using prepared statements or parameterized queries, the application likely concatenates user input directly into SQL WHERE clauses (e.g., 'SELECT * FROM users WHERE email = "' + user_input + '"'), allowing attackers to break out of the intended query structure and execute arbitrary SQL. The affected product is CodeAstro Real Estate Management System 1.0, a PHP-based web application for managing real estate operations. The root cause stems from inadequate input validation and the absence of output encoding mechanisms typical of CWE-74 classifications.

RemediationAI

Immediate actions: (1) Apply security patches—upgrade CodeAstro Real Estate Management System to version 1.1 or later once available; contact CodeAstro support for emergency patching timeline; (2) Interim mitigations: implement Web Application Firewall (WAF) rules blocking SQL keywords in email parameters ('UNION', 'SELECT', 'DROP', etc.), enforce strict input validation regex for email format (^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$); (3) Implement prepared statements/parameterized queries in login.php using PHP PDO or MySQLi prepared statements instead of string concatenation; (4) Apply principle of least privilege to database user accounts running queries; (5) Enable SQL error suppression to prevent information leakage; (6) Deploy intrusion detection signatures for SQL injection patterns on login endpoints. Long-term: conduct code review of all user input handling, implement OWASP Top 10 secure coding practices, deploy static application security testing (SAST) in development pipeline.

CVE-2025-5580 vulnerability details – vuln.today

Back