EUVD-2025-19140Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /php_action/fetchSelectedBrand.php. The manipulation of the argument brandId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-6668 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/fetchSelectedBrand.php endpoint via the brandId parameter. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete database contents, with disclosed public exploits and active exploitation potential. The CVSS 7.3 score reflects moderate impact across confidentiality, integrity, and availability, though the attack requires no privileges or user interaction.
Technical ContextAI
The vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') manifesting as SQL injection. The affected component is a PHP backend script (/php_action/fetchSelectedBrand.php) that processes the 'brandId' parameter without proper input validation or parameterized query preparation. This is typical of legacy PHP applications that concatenate user input directly into SQL queries. The vulnerability affects code-projects Inventory Management System version 1.0, a web-based PHP application commonly deployed in small-to-medium business environments. Affected CPE would be: cpe:2.3:a:code-projects:inventory_management_system:1.0:*:*:*:*:*:*:*
RemediationAI
Immediate actions: (1) Apply vendor patches if available from code-projects (verify at https://github.com/code-projects/ or vendor portal); (2) If patches unavailable, implement input validation on the brandId parameter using whitelisting (numeric validation if brandId is expected to be numeric); (3) Replace all dynamic SQL with parameterized prepared statements using PHP PDO or mysqli prepared statements; (4) Apply Web Application Firewall (WAF) rules to block SQL injection payloads; (5) Restrict network access to /php_action/fetchSelectedBrand.php via IP whitelisting or VPN; (6) Audit database logs for suspicious query patterns. Long-term: upgrade to a maintained inventory management system or establish a security patch management process with the vendor.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today