CVE-2025-26156
Published: 14 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26156 is a SQL injection vulnerability (CWE-89) affecting the /shopping/track-orders.php component in PHPGurukul Online Shopping Portal version 2.1. Published on 2025-02-14, it enables remote attackers to execute arbitrary code by injecting malicious payloads via the orderid parameter in a POST request. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.
Exploitation requires low privileges (PR:L) and can be performed remotely over the network without user interaction. An attacker could send a crafted POST request to the vulnerable endpoint, allowing arbitrary code execution on the affected system, which could lead to full compromise including data exfiltration, modification, or disruption of services.
Advisories and further details, including potential mitigations, are documented in the referenced GitHub repository at https://github.com/rtnthakur/CVE/blob/main/PHPGurukul/README.md.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (PHPGurukul Online Shopping Portal) enables remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.