CVE-2025-6668

| EUVD-2025-19140 HIGH
2025-06-25 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19140
PoC Detected
Jun 27, 2025 - 17:49 vuln.today
Public exploit code
CVE Published
Jun 25, 2025 - 22:15 nvd
HIGH 7.3

Tags

PHP SQLi Inventory Management System

Description

A vulnerability was found in code-projects Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /php_action/fetchSelectedBrand.php. The manipulation of the argument brandId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6668 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/fetchSelectedBrand.php endpoint via the brandId parameter. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete database contents, with disclosed public exploits and active exploitation potential. The CVSS 7.3 score reflects moderate impact across confidentiality, integrity, and availability, though the attack requires no privileges or user interaction.

Technical Context

The vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') manifesting as SQL injection. The affected component is a PHP backend script (/php_action/fetchSelectedBrand.php) that processes the 'brandId' parameter without proper input validation or parameterized query preparation. This is typical of legacy PHP applications that concatenate user input directly into SQL queries. The vulnerability affects code-projects Inventory Management System version 1.0, a web-based PHP application commonly deployed in small-to-medium business environments. Affected CPE would be: cpe:2.3:a:code-projects:inventory_management_system:1.0:*:*:*:*:*:*:*

Affected Products

code-projects Inventory Management System version 1.0 and all prior versions (no patched version specified in available data). The vulnerable component is /php_action/fetchSelectedBrand.php. Organizations using this system in production should assume all deployments are at risk unless the vendor has released a patched version (not referenced in current intelligence). No vendor advisory link is available in the provided data; operators should contact code-projects directly or check their GitHub repository for patch availability.

Remediation

Immediate actions: (1) Apply vendor patches if available from code-projects (verify at https://github.com/code-projects/ or vendor portal); (2) If patches unavailable, implement input validation on the brandId parameter using whitelisting (numeric validation if brandId is expected to be numeric); (3) Replace all dynamic SQL with parameterized prepared statements using PHP PDO or mysqli prepared statements; (4) Apply Web Application Firewall (WAF) rules to block SQL injection payloads; (5) Restrict network access to /php_action/fetchSelectedBrand.php via IP whitelisting or VPN; (6) Audit database logs for suspicious query patterns. Long-term: upgrade to a maintained inventory management system or establish a security patch management process with the vendor.

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

CVE-2025-6668 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy