EUVD-2025-18485CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release.
Analysis
A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release.
Technical Context
SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized queries.
Affected Products
Affected products: Webkul Qloapps 1.6.1
Remediation
Use parameterized queries or prepared statements. Apply input validation and escape special characters. Implement least-privilege database accounts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today