Cyber Posture

CVE-2019-25523

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0025 48.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to cat.php with malicious cat_id values to bypass authentication, extract sensitive data,…

more

or modify database contents.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection by validating the cat_id parameter in cat.php against expected formats, blocking malicious SQL code injection via GET requests.

SI-2 Flaw Remediation good match
prevent

Remediates the specific SQL injection flaw in XooGallery's cat.php, eliminating the vulnerability through patching or code correction.

SC-7 Boundary Protection partial match
prevent

Boundary protection at web interfaces filters and blocks crafted GET requests with SQL injection payloads targeting the cat_id parameter.

Security SummaryAI

CVE-2019-25523 is an SQL injection vulnerability (CWE-89) in XooGallery Latest, affecting the cat.php component through the cat_id parameter. This flaw enables attackers to inject malicious SQL code into database queries via GET requests. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact. It was published on 2026-03-12.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by sending crafted GET requests to cat.php containing malicious values in the cat_id parameter. Successful exploitation allows bypassing authentication, extracting sensitive data from the database, or modifying database contents.

Advisories and exploit details are documented in references including Exploit-DB (https://www.exploit-db.com/exploits/46609) and VulnCheck (https://www.vulncheck.com/advisories/xoogallery-lastest-latest-sql-injection-via-cat-php), which provide proof-of-concept exploits demonstrating the SQL injection.

A public exploit is available on Exploit-DB, indicating potential for real-world abuse against unpatched XooGallery Latest installations.

Details

CWE(s)
CWE-89

Affected Products

xooscripts
xoogallery
all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing web application (T1190) enables unauthenticated remote exploitation; allows arbitrary database queries for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References