Which versions of PHP are affected by EUVD-2025-21203?

A remote SQL injection vulnerability in Modern Bag 1.0 allows unauthenticated attackers to compromise database integrity and extract sensitive data.

Is there a public PoC exploit available for EUVD-2025-21203?

Yes, a public proof-of-concept exploit is available for EUVD-2025-21203. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-21203?

Within 24 hours: Inventory all systems running Modern Bag 1.0 and assess internet exposure. Implement WAF rules blocking SQL injection patterns in the proId parameter. Within 7 days: Isolate affected systems to restricted network segments, disable /action.php if operationally feasible, and establish enhanced logging/monitoring. Within 30 days: Evaluate replacement solutions or request emergency patch from vendor; if unavailable, plan application decommissioning or air-gap deployment.

PHP EUVD-2025-21203

Q: What is the CVSS score of EUVD-2025-21203?

EUVD-2025-21203 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2025-7461 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-12 cna@vuldb.com

PHP SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 16, 2026 - 08:56 euvd

EUVD-2025-21203

Analysis Generated

Mar 16, 2026 - 08:56 vuln.today

PoC Detected

Jul 15, 2025 - 18:34 vuln.today

Public exploit code

CVE Published

Jul 12, 2025 - 05:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability was found in code-projects Modern Bag 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /action.php. The manipulation of the argument proId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-7461 is a critical SQL injection vulnerability in code-projects Modern Bag version 1.0, located in the /action.php file's proId parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially access, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the CVSS 7.3 score reflects moderate confidentiality, integrity, and availability impact; however, the attack requires no authentication or user interaction, making it immediately exploitable in network-accessible deployments.

Technical ContextAI

Modern Bag 1.0 is a PHP-based application that fails to properly sanitize user input in the proId parameter passed to /action.php, allowing SQL injection via CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The vulnerable code path likely constructs SQL queries through direct string concatenation of the proId parameter without using prepared statements or parameterized queries. This is a classic web application vulnerability where user-controlled input is treated as executable SQL code rather than data, enabling attackers to alter query logic, extract sensitive data, or modify database records.

RemediationAI

IMMEDIATE: If running Modern Bag 1.0 in production, isolate or take offline pending patched version availability. 2) Contact code-projects vendor directly for patch status and expected release timeline. 3) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in proId parameter (e.g., blocking SQL keywords like UNION, SELECT, DROP in this parameter). 4) Apply strict input validation: whitelist acceptable proId values (e.g., numeric-only if product IDs are numeric). 5) Upgrade to patched Modern Bag version once available from vendor. 6) If no patch is forthcoming, consider replacing Modern Bag with a maintained alternative that implements secure coding practices (parameterized queries, input validation, principle of least privilege for database accounts). 7) Review database access logs for signs of exploitation.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

EUVD-2025-21203 vulnerability details – vuln.today

Back

PHP EUVD-2025-21203

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code