CVE-2025-1156

High

Published: 10 February 2025

Published

10 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 28.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Pix Software Vivaz 6.0.10 and classified as critical. This vulnerability affects unknown code of the file /servlet?act=login. The manipulation of the argument usuario leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Security Summary

CVE-2025-1156 is a critical SQL injection vulnerability affecting Pix Software Vivaz version 6.0.10. The issue resides in unknown code within the /servlet?act=login file, where manipulation of the "usuario" argument enables the injection. Published on 2025-02-10, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 and CWE-89.

The vulnerability is remotely exploitable by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries.

VulDB advisories detail the public disclosure of an exploit, which may already be in use. The vendor was contacted early regarding the issue but has not responded, and no patches or mitigations are mentioned in available references.

Details

CWE(s): CWE-74CWE-89

References

https://vuldb.com/?ctiid.295060
cna@vuldb.com
https://vuldb.com/?id.295060
cna@vuldb.com
https://vuldb.com/?submit.493482
cna@vuldb.com
https://vuldb.com/?submit.493482
134c704f-9b21-4f2e-91b3-4a467353bcc0