Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <= 1.0.6.3.
AnalysisAI
Fox LMS versions 1.0.6.3 and earlier are vulnerable to blind SQL injection attacks through improper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries and potentially exfiltrate sensitive database information. The vulnerability requires user authentication but can be exploited remotely with no user interaction needed, and carries a high CVSS score of 8.5. No patch is currently available for affected organizations.
Technical ContextAI
Fox LMS is a learning management system developed by Ays Pro that suffers from improper neutralization of special elements in SQL commands (CWE-89). This classic SQL injection vulnerability occurs when user-supplied input is inadequately sanitized before being incorporated into SQL queries, allowing attackers to manipulate the query structure. The blind SQL injection variant means attackers cannot see direct query results but can infer information through boolean-based or time-based techniques by observing application behavior differences.
RemediationAI
Upgrade Fox LMS to a version newer than 1.0.6.3 if available from Ays Pro, though no specific patched version has been identified in the available sources. In the absence of a vendor patch, implement web application firewall (WAF) rules to filter SQL injection attempts, enforce parameterized queries or stored procedures if you have access to modify the application, and apply the principle of least privilege to database accounts used by Fox LMS. Monitor database logs for suspicious query patterns that may indicate exploitation attempts.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11798