EUVD-2025-18863Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /php_action/fetchSelectedCategories.php. The manipulation of the argument categoriesId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-6503 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0, specifically in the /php_action/fetchSelectedCategories.php file where the 'categoriesId' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The exploit has been publicly disclosed and proof-of-concept code is available, significantly elevating exploitation risk in production environments.
Technical ContextAI
This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection'), which represents a failure to properly validate and sanitize user-supplied input before incorporating it into SQL queries. The affected component is a PHP file (/php_action/fetchSelectedCategories.php) that likely processes category filtering requests in an inventory management application. The 'categoriesId' parameter is passed directly or with insufficient escaping into SQL query construction, allowing an attacker to inject malicious SQL syntax. This is a classic first-order SQL injection vulnerability in legacy PHP applications that predate parameterized query adoption.
RemediationAI
Immediate remediation steps: (1) Implement prepared statements/parameterized queries using mysqli_prepare() or PDO prepared statements in the fetchSelectedCategories.php file; (2) Apply strict input validation using whitelist approach for categoriesId parameter (numeric validation only if categories are referenced by ID); (3) Implement stored procedures with bound parameters if database layer supports; (4) Apply Web Application Firewall (WAF) rules to block SQL injection patterns in the categoriesId parameter as temporary mitigation; (5) Upgrade to a patched version when released by code-projects vendor. Contact code-projects development team for security updates; if no response within 90 days, consider migrating to actively maintained inventory management systems. Implement principle of least privilege for database user credentials used by the application.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today