EUVD-2025-19109Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /php_action/removeCategories.php. The manipulation of the argument categoriesId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-6612 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/removeCategories.php endpoint. An unauthenticated remote attacker can manipulate the 'categoriesId' parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available and demonstrates active exploitation potential with a CVSS 7.3 score indicating moderate-to-high severity.
Technical ContextAI
This vulnerability exists in a PHP-based Inventory Management System where user-supplied input (categoriesId parameter) is improperly validated and directly incorporated into SQL queries without parameterized prepared statements or proper escaping. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), representing a classic SQL injection flaw. The vulnerable endpoint /php_action/removeCategories.php processes category deletion operations, and the lack of input sanitization allows attackers to break out of intended SQL syntax and inject malicious SQL commands. The absence of stored procedures or parameterized queries indicates the code likely uses string concatenation for query building.
RemediationAI
Immediate actions: (1) Implement input validation on the categoriesId parameter - whitelist only valid numeric identifiers and reject any input containing SQL metacharacters; (2) Use parameterized prepared statements (prepared queries with bound parameters) for all database interactions in removeCategories.php; (3) Apply principle of least privilege to database user accounts - ensure the PHP application's database credentials have minimal required permissions; (4) Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in category-related parameters; (5) Upgrade to patched version if available from code-projects vendor (check project repository/advisory page); (6) As interim mitigation, disable or restrict access to /php_action/removeCategories.php at the web server level using .htaccess or nginx configuration if the functionality is not immediately required. Long-term: refactor the entire application to use an ORM framework (Laravel Eloquent, Doctrine) that enforces parameterized queries by default.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today