Which versions of PHP are affected by EUVD-2025-18844?

An unauthenticated SQL injection vulnerability in the Inventory Management System 1.0 allows attackers to remotely access, modify, or exfiltrate sensitive database records through the…

Is there a public PoC exploit available for EUVD-2025-18844?

Yes, a public proof-of-concept exploit is available for EUVD-2025-18844. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-18844?

Within 24 hours: Isolate affected Inventory Management System instances from production networks or disable the /changeUsername.php endpoint; alert stakeholders and audit recent username change logs for unauthorized modifications. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection patterns in the user_id parameter; implement input validation and parameterized queries as temporary code-level fixes if feasible. Within 30 days: Migrate to a patched version immediately upon vendor release or replace the application with a supported alternative; conduct forensic analysis to identify compromised data and reset affected user credentials.

PHP EUVD-2025-18844

Q: What is the CVSS score of EUVD-2025-18844?

EUVD-2025-18844 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2025-6474 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-22 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 15, 2026 - 21:55 euvd

EUVD-2025-18844

Analysis Generated

Mar 15, 2026 - 21:55 vuln.today

PoC Detected

Jun 27, 2025 - 17:29 vuln.today

Public exploit code

CVE Published

Jun 22, 2025 - 12:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /changeUsername.php. The manipulation of the argument user_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6474 is a critical SQL injection vulnerability in code-projects Inventory Management System version 1.0 affecting the /changeUsername.php file, specifically the user_id parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept availability, making active exploitation likely.

Technical ContextAI

This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), which is a parent category for SQL injection flaws. The root cause stems from inadequate input validation and sanitization of the user_id parameter in /changeUsername.php before it is used in SQL queries. The application fails to employ parameterized queries, prepared statements, or proper escaping mechanisms, allowing attackers to inject malicious SQL syntax. The affected product is code-projects Inventory Management System 1.0, a PHP-based web application. The vulnerability permits database manipulation through HTTP requests to the vulnerable endpoint without requiring authentication or user interaction.

RemediationAI

patch: Monitor code-projects GitHub or official website for security updates and apply immediately upon availability workaround: Implement Web Application Firewall (WAF) rules to block SQL injection patterns in user_id parameter (detect quotes, SQL keywords like UNION, OR, etc.); priority: Medium-term mitigation detection: Set up alerts for failed SQL queries or unusual database access patterns

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

EUVD-2025-18844 vulnerability details – vuln.today

Back

PHP EUVD-2025-18844

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code