What is the CVSS score of CVE-2025-6364?

CVE-2025-6364 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-6364?

A SQL injection vulnerability in the Simple Pizza Ordering System allows unauthenticated remote attackers to compromise the application database through the user registration endpoint.

Is there a public PoC exploit available for CVE-2025-6364?

Yes, a public proof-of-concept exploit is available for CVE-2025-6364. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-6364?

Within 24 hours: Assess whether this application is in production and exposed to untrusted networks; if yes, immediately disable or restrict access to /adduser-exec.php. Within 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the Username parameter, and conduct a database audit for unauthorized access or data exfiltration. Within 30 days: Develop a migration plan to replace or upgrade this unsupported software; contact the vendor for patch availability or timeline, and establish compensating controls if the application cannot be retired.

PHP CVE-2025-6364

EUVD-2025-18790 HIGH

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-20 cna@vuldb.com

PHP SQLi Simple Pizza Ordering System

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18790

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Jun 26, 2025 - 15:28 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 21:15 nvd

HIGH 7.3

DescriptionNVD

A vulnerability has been found in code-projects Simple Pizza Ordering System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /adduser-exec.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely.

AnalysisAI

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

Technical ContextAI

CWE-74 (Injection). CVSS 7.3 indicates high severity. Affects A vulnerability.

RemediationAI

Monitor vendor channels for patch availability. Implement input validation and WAF rules as interim mitigation.

CVE-2025-6364 vulnerability details – vuln.today

Back