EUVD-2025-16818Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in PHPGurukul Curfew e-Pass Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /index.php. The manipulation of the argument searchdata leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Critical SQL injection vulnerability in PHPGurukul Curfew e-Pass Management System version 1.0, where unsanitized input in the 'searchdata' parameter of /index.php allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has been publicly disclosed with exploit code available, enabling attackers to extract sensitive data, modify records, or potentially execute system commands depending on database permissions and backend configuration. This represents an immediate threat to organizations using this system.
Technical ContextAI
The vulnerability resides in PHPGurukul Curfew e-Pass Management System 1.0, a PHP-based web application. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating insufficient input validation and output encoding in the /index.php file. The 'searchdata' GET/POST parameter is directly concatenated into SQL queries without parameterized statements or prepared statements, enabling classical SQL injection. The affected component handles search functionality, likely used for querying e-pass records. PHP applications of this nature typically interact with MySQL/MariaDB backends, and the lack of input sanitization (no use of mysqli_real_escape_string, parameterized queries, or ORM frameworks) allows attackers to break out of intended SQL syntax and inject arbitrary commands.
RemediationAI
Immediate actions: (1) If still in use, disable or restrict network access to the e-pass management system until patched; (2) Implement Web Application Firewall (WAF) rules to block SQL injection payloads in the searchdata parameter (e.g., blocking common keywords: UNION, SELECT, DROP, OR 1=1); (3) Enable SQL query logging and monitor for suspicious patterns. Long-term remediation: (1) Upgrade to a patched version if available from PHPGurukul—check their official website or GitHub repository for updates beyond 1.0; (2) If no patch exists, migrate to an actively maintained alternative e-pass management system; (3) If patching in-place, apply input validation: use prepared statements with parameterized queries (mysqli_prepare or PDO with bound parameters), implement whitelist validation for searchdata parameter, and enforce principle of least privilege on database user (remove administrative database rights). Code-level fix: Replace direct SQL concatenation with parameterized queries, e.g., $stmt = $mysqli->prepare('SELECT * FROM epasses WHERE name LIKE ?'); $stmt->bind_param('s', '%'.$_GET['searchdata'].'%'); $stmt->execute();
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today