EUVD-2025-18844

| CVE-2025-6474 HIGH
2025-06-22 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 21:55 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 21:55 euvd
EUVD-2025-18844
PoC Detected
Jun 27, 2025 - 17:29 vuln.today
Public exploit code
CVE Published
Jun 22, 2025 - 12:15 nvd
HIGH 7.3

Tags

PHP SQLi Inventory Management System

Description

A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /changeUsername.php. The manipulation of the argument user_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-6474 is a critical SQL injection vulnerability in code-projects Inventory Management System version 1.0 affecting the /changeUsername.php file, specifically the user_id parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept availability, making active exploitation likely.

Technical Context

This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), which is a parent category for SQL injection flaws. The root cause stems from inadequate input validation and sanitization of the user_id parameter in /changeUsername.php before it is used in SQL queries. The application fails to employ parameterized queries, prepared statements, or proper escaping mechanisms, allowing attackers to inject malicious SQL syntax. The affected product is code-projects Inventory Management System 1.0, a PHP-based web application. The vulnerability permits database manipulation through HTTP requests to the vulnerable endpoint without requiring authentication or user interaction.

Affected Products

- vendor: code-projects; product: Inventory Management System; affected_version: 1.0; component: /changeUsername.php; vulnerable_parameter: user_id; cpe: cpe:2.3:a:code-projects:inventory_management_system:1.0:*:*:*:*:*:*:*

Remediation

patch: Monitor code-projects GitHub or official website for security updates and apply immediately upon availability workaround: Implement Web Application Firewall (WAF) rules to block SQL injection patterns in user_id parameter (detect quotes, SQL keywords like UNION, OR, etc.); priority: Medium-term mitigation detection: Set up alerts for failed SQL queries or unusual database access patterns

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: +20

Share

EUVD-2025-18844 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy