Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows SQL Injection.
This issue affects E-Commerce Website: before 4.5.001.
AnalysisAI
SQL injection in Akilli Commerce E-Commerce Website versions before 4.5.001 allows remote unauthenticated attackers to execute arbitrary SQL commands with complete database access. The vulnerability permits extraction of sensitive customer and transaction data, modification of product catalogs and pricing, and potential complete system compromise. CVSS score of 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction, though no active exploitation has been reported in CISA KEV and EPSS data is not available.
Technical ContextAI
The vulnerability stems from CWE-89 (SQL Injection), where the E-Commerce Website platform fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. Affecting the Akilli Commerce Software Technologies E-Commerce Website platform (CPE: cpe:2.3:a:akilli_commerce_software_technologies_ltd._co.:e-commerce_website), this class of vulnerability typically occurs in web application endpoints handling user input such as search fields, product filters, login forms, or checkout processes. Without prepared statements or input validation, attackers can inject malicious SQL syntax to manipulate database queries, bypassing authentication mechanisms, extracting data through UNION-based or blind injection techniques, or executing administrative database commands.
RemediationAI
Upgrade immediately to Akilli Commerce E-Commerce Website version 4.5.001 or later, which contains fixes for the SQL injection vulnerability per TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222. Organizations unable to patch immediately should implement layered compensating controls: deploy a Web Application Firewall (WAF) with SQL injection rulesets to block common attack patterns, though sophisticated attacks may bypass signature-based detection; restrict database user permissions to minimum required operations (read-only where possible, no DROP/ALTER privileges) to limit injection impact, though data exfiltration remains possible; implement database activity monitoring to detect anomalous query patterns such as UNION statements or excessive row returns; isolate the application database on a separate network segment with strict firewall rules. Note that workarounds provide defense-in-depth but do not eliminate the vulnerability-patching to version 4.5.001 remains the only complete remediation. Contact Akilli Commerce support channels for patch deployment assistance and verify post-patch that all application functionality remains operational.
More in E Commerce Website
View allArbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary cod
SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL
A vulnerability has been found in SourceCodester E-Commerce Website 1.0 and classified as critical. Rated medium severit
Authorization bypass in Akilli Commerce E-Commerce Website before 4.5.001 allows remote unauthenticated attackers to hij
Remote unauthenticated SQL injection in Akilli Commerce Software Technologies E-Commerce Website before version 4.5.001
A vulnerability was determined in code-projects E-Commerce Website 1.0. This affects an unknown part of the file /pages/
A vulnerability was determined in code-projects E-Commerce Website 1.0. The affected element is an unknown function of t
A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/us
A vulnerability was detected in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages
A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows atta
Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject ar
A vulnerability has been found in itsourcecode E-Commerce Website 1.0 and classified as critical. Rated medium severity
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209783
GHSA-h999-6ppq-jh7h