CVE-2025-63939

| EUVD-2025-209441 CRITICAL
2026-04-14 mitre GHSA-25qr-g262-c7jp
PHP SQLi
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:00 vuln.today

DescriptionNVD

Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.

AnalysisAI

SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.

Technical ContextAI

The vulnerability resides in the product search functionality of anirudhkannan's Grocery Store Management System, a PHP-based web application. The /Grocery/search_products_itname.php endpoint fails to properly sanitize or parameterize the sitem_name POST parameter before incorporating it into SQL queries. This represents a classic SQL injection vulnerability where user-controlled input is concatenated directly into database commands rather than using prepared statements or input validation. The affected system likely uses MySQL or similar relational database backend common in PHP applications. Without proper input handling mechanisms such as PDO prepared statements, mysqli_real_escape_string, or input whitelisting, attackers can break out of the intended query context and inject arbitrary SQL syntax to manipulate database operations beyond the application's intended logic.

RemediationAI

Organizations must immediately implement SQL injection defenses in the affected search functionality. Primary remediation requires modifying search_products_itname.php to use parameterized queries (prepared statements) via PDO or MySQLi with bound parameters rather than concatenating user input into SQL strings. Specific code example: replace direct parameter usage with prepared statements binding sitem_name as a typed parameter. Secondary controls include input validation enforcing alphanumeric-only characters for product name searches, implementing web application firewall rules to detect SQL injection patterns in POST parameters, and applying principle of least privilege to database accounts used by the application. Refer to researcher advisory at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939 for technical details. No vendor-released patch identified at time of analysis; organizations must implement custom code fixes or discontinue use of the vulnerable application until secure alternatives are deployed.

Share

CVE-2025-63939 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy