Skip to main content

PHP CVE-2025-63939

| EUVDEUVD-2025-209441 CRITICAL
SQL Injection (CWE-89)
2026-04-14 mitre GHSA-25qr-g262-c7jp
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:00 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 16:00 euvd
EUVD-2025-209441
Analysis Generated
Apr 14, 2026 - 16:00 vuln.today
CVE Published
Apr 14, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.

AnalysisAI

SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.

Technical ContextAI

The vulnerability resides in the product search functionality of anirudhkannan's Grocery Store Management System, a PHP-based web application. The /Grocery/search_products_itname.php endpoint fails to properly sanitize or parameterize the sitem_name POST parameter before incorporating it into SQL queries. This represents a classic SQL injection vulnerability where user-controlled input is concatenated directly into database commands rather than using prepared statements or input validation. The affected system likely uses MySQL or similar relational database backend common in PHP applications. Without proper input handling mechanisms such as PDO prepared statements, mysqli_real_escape_string, or input whitelisting, attackers can break out of the intended query context and inject arbitrary SQL syntax to manipulate database operations beyond the application's intended logic.

RemediationAI

Organizations must immediately implement SQL injection defenses in the affected search functionality. Primary remediation requires modifying search_products_itname.php to use parameterized queries (prepared statements) via PDO or MySQLi with bound parameters rather than concatenating user input into SQL strings. Specific code example: replace direct parameter usage with prepared statements binding sitem_name as a typed parameter. Secondary controls include input validation enforcing alphanumeric-only characters for product name searches, implementing web application firewall rules to detect SQL injection patterns in POST parameters, and applying principle of least privilege to database accounts used by the application. Refer to researcher advisory at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939 for technical details. No vendor-released patch identified at time of analysis; organizations must implement custom code fixes or discontinue use of the vulnerable application until secure alternatives are deployed.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-63939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy