EUVD-2025-21334Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Job Diary 1.0. It has been classified as critical. This affects an unknown part of the file /view-emp.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-7594 is a critical SQL injection vulnerability in code-projects Job Diary version 1.0 affecting the /view-emp.php endpoint's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has been publicly disclosed with exploit code available, and the low attack complexity combined with network accessibility makes this a high-priority threat requiring immediate patching.
Technical ContextAI
This vulnerability exploits improper input validation in PHP-based web application code. The /view-emp.php file fails to sanitize or parameterize the ID parameter before incorporating it into SQL queries, enabling SQL injection (CWE-74: Improper Neutralization of Special Elements used in an Output). The root cause is insufficient use of prepared statements or input validation mechanisms. code-projects Job Diary 1.0 is a PHP web application (CPE would be cpe:2.3:a:code-projects:job_diary:1.0:*:*:*:*:*:*:*) vulnerable via direct HTTP GET/POST requests to the affected endpoint. The CWE-74 classification indicates the application treats user input as SQL code rather than data.
RemediationAI
{'type': 'Immediate Actions', 'steps': ['Disable or restrict access to /view-emp.php endpoint via WAF or network ACL until patch is applied', 'Implement emergency input validation: validate ID parameter as numeric only, reject special SQL characters', 'Enable SQL error suppression to prevent information disclosure']} {'type': 'Patching', 'steps': ['Contact code-projects for availability of Job Diary 1.0 security patch; no patch version identified in CVE data', 'If patch unavailable, consider upgrading to newer version if available', 'Apply parameterized queries (prepared statements) to /view-emp.php: use PDO/MySQLi with bound parameters instead of string concatenation']} {'type': 'Mitigation', 'steps': ['Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in ID parameter', 'Apply rate limiting to /view-emp.php to reduce automated exploitation velocity', 'Enable database query logging and monitor for unusual SQL patterns', 'Conduct database audit for unauthorized access or modifications since disclosure date']} {'type': 'Detection', 'steps': ['Monitor for SQL keywords (UNION, SELECT, DROP, etc.) in ID parameter logs', 'Alert on database queries executed from web application context with suspicious WHERE clauses', 'Review access logs for encoded SQL injection attempts (%27, %3D, etc.)']}
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today