How to fix CVE-2025-6665?

Within 24 hours: Identify all systems running Inventory Management System 1.0 and isolate them from production networks if possible; enable detailed logging on affected systems. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection payloads targeting /php_action/editBrand.php; implement input validation and parameterized queries if code modification is feasible. Within 30 days: Evaluate migration to a patched version or alternative inventory management solution; conduct database audit for unauthorized access or modifications.

Is PHP affected by CVE-2025-6665?

A remote SQL injection vulnerability in Inventory Management System 1.0 allows attackers to compromise database integrity and access sensitive inventory and business data without authentication.

CVE-2025-6665

EUVD-2025-19138 HIGH

2025-06-25 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19138

PoC Detected

Jun 27, 2025 - 17:56 vuln.today

Public exploit code

CVE Published

Jun 25, 2025 - 21:15 nvd

HIGH 7.3

Description

A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /php_action/editBrand.php. The manipulation of the argument editBrandStatus leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6665 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/editBrand.php file's editBrandStatus parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with a proof-of-concept available, increasing real-world exploitation risk.

Technical Context

The vulnerability stems from improper input validation and parameterization in PHP server-side code (CWE-74: Improper Neutralization of Special Elements in Output). The editBrand.php file fails to properly sanitize or use prepared statements for the editBrandStatus parameter before incorporating it into SQL queries. This classic SQL injection flaw allows attackers to break out of the intended query context and inject arbitrary SQL commands. The affected technology is a PHP-based inventory management system with a likely MySQL or similar relational database backend. CPE identifier would be: cpe:2.3:a:code-projects:inventory_management_system:1.0:*:*:*:*:*:*:*

Affected Products

Inventory Management System (['1.0'])

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

CVE-2025-6665 vulnerability details – vuln.today

Back

CVE-2025-6665

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-6665

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code