CVE-2025-61548

CRITICAL
2026-01-08 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Feb 10, 2026 - 18:16 vuln.today
Public exploit code
CVE Published
Jan 08, 2026 - 17:15 nvd
CRITICAL 9.8

Tags

SQLi Print Shop Pro Webdesk

Description

SQL Injection is present on the hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.69). Unsanitized user input is incorporated directly into SQL queries without proper parameterization or escaping. This vulnerability allows remote attackers to execute arbitrary SQL commands

Analysis

Print Shop Pro WebDesk 18.34 has SQL injection in the hfInventoryDistFormID parameter of GetUnitPrice. Combined with CVE-2025-61546 (negative quantities), this endpoint has two critical vulnerabilities. PoC available, fixed in 19.69.

Technical Context

The hfInventoryDistFormID parameter is directly concatenated into SQL queries (CWE-89). This is the same endpoint affected by CVE-2025-61546, indicating a broader lack of input validation.

Affected Products

Print Shop Pro WebDesk 18.34 (fixed in 19.69)

Remediation

Update to version 19.69. Implement parameterized queries.

Priority Score

69
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: +20

Share

CVE-2025-61548 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy