CVE-2025-26136
Published: 04 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-26136, published on 2025-03-04, is a SQL injection vulnerability (CWE-89) in mysiteforme versions prior to 2025.01.1. The flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact across confidentiality, integrity, and availability.
Remote attackers require no authentication privileges or user interaction and can exploit the issue over the network with low attack complexity. Successful exploitation enables arbitrary SQL injection, allowing attackers to read sensitive data, modify database contents, execute administrative operations, or cause denial of service.
The reference advisory at https://gist.github.com/xiadmin6/6d664692d31a04eb59096a488b9f3712 provides details on mitigation, which includes upgrading to mysiteforme version 2025.01.1 or later to address the vulnerability in affected versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app directly enables T1190 for initial access; arbitrary SQL queries facilitate database data collection (T1213.006) and stored data manipulation (T1565.001).