CVE-2025-26200

HighPublic PoC

Published: 24 February 2025

Published

24 February 2025

Modified

01 May 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0133 80.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component.

Security Summary

CVE-2025-26200 is a SQL injection vulnerability (CWE-89) in SLIMS version 9.6.1. The flaw exists in the visitor_report_day.php component, where insufficient input validation on the month parameter enables a remote attacker to escalate privileges. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-24T17:15:14.273.

Exploitation requires high privileges (PR:H) and can be performed remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). A successful attack allows the attacker to escalate privileges, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U).

Advisories and additional details are available at https://github.com/slims/slims9_bulian/issues/269 and https://mebroccoli.blogspot.com/2025/02/cve2.html.

Details

CWE(s): CWE-89

Affected Products

slims

senayan library management system

9.6.1

References

https://github.com/slims/slims9_bulian/issues/269
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org
https://mebroccoli.blogspot.com/2025/02/cve2.html
Exploit, Third Party Advisory · cve@mitre.org