EUVD-2025-28742Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability, which was classified as critical, was found in code-projects Inventory Management System 1.0. This affects an unknown part of the file /php_action/createCategories.php. The manipulation of the argument categoriesStatus leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
CVE-2025-6501 is a critical SQL injection vulnerability in code-projects Inventory Management System 1.0 affecting the /php_action/createCategories.php file, where the 'categoriesStatus' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public exploit disclosure and proof-of-concept availability indicate active threat potential with low barrier to exploitation.
Technical ContextAI
This vulnerability exists in a PHP-based web application (Inventory Management System) that processes user input from the 'categoriesStatus' parameter without adequate input validation or parameterized query protection. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), which is a parent category encompassing SQL injection (CWE-89). The vulnerable code path in /php_action/createCategories.php likely constructs SQL queries through string concatenation rather than using prepared statements or parameterized queries. The application stack involves PHP with an underlying database system (likely MySQL/MariaDB based on common IMS implementations), where unsanitized user input flows directly into dynamic SQL construction.
RemediationAI
Immediate steps: (1) ISOLATE - Restrict network access to /php_action/createCategories.php via WAF rules, IP whitelisting, or application firewall to trusted internal subnets only; (2) INPUT VALIDATION - Implement strict whitelist validation for 'categoriesStatus' parameter (e.g., accept only predefined enumerated values like 'active', 'inactive'); (3) PARAMETERIZED QUERIES - Rewrite the vulnerable query construction to use prepared statements with parameterized queries (PHP mysqli prepared statements or PDO prepared statements with bound parameters); (4) UPGRADE - Contact code-projects for security patches; if unavailable, consider migrating to maintained inventory management systems. Long-term: (1) Conduct a code audit of all PHP files handling user input, particularly in /php_action/ directory; (2) implement ORM frameworks (e.g., Doctrine, Eloquent) that abstract SQL construction; (3) deploy Web Application Firewall (WAF) rules for SQL injection pattern detection; (4) implement rate limiting and logging on createCategories.php endpoint; (5) run automated security scanning (SAST) in the CI/CD pipeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today