CVE-2025-66944

CriticalPublic PoC

Published: 04 March 2026

Published

04 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0030 53.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SQL Injection vulnerability in vran-dev databaseir v.1.0.7 and before allows a remote attacker to execute arbitrary code via the query parameter in the search API endpoint

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly and comprehensively prevents SQL injection by validating the query parameter in the search API endpoint to reject malicious inputs.

SI-2 Flaw Remediation good match

prevent

Remediates the specific SQL injection flaw in vran-dev/databasir v1.0.7 and prior, eliminating the vulnerability at its root.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on the query parameter such as allowed characters and length to block common SQL injection payloads.

Security SummaryAI

CVE-2025-66944 is a SQL injection vulnerability (CWE-89) in vran-dev/databasir versions 1.0.7 and prior. The flaw resides in the search API endpoint, where a remote attacker can inject malicious SQL via the query parameter, leading to arbitrary code execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

A remote, unauthenticated attacker can exploit this vulnerability by crafting and submitting a malicious query parameter to the affected search API endpoint. Successful exploitation enables arbitrary code execution on the server, potentially resulting in full compromise with high impacts on confidentiality, integrity, and availability, such as data exfiltration, modification, or denial of service.

Mitigation details are available in related advisories, including the GitHub issue at https://github.com/vran-dev/databasir/issues/283 and the analysis at https://zeroday.endlessparadox.com/posts/cve-2025-66944/. Security practitioners should consult these for patching instructions and workarounds specific to databasir deployments.

Details

CWE(s): CWE-89

Affected Products

databasir

≤ 1.0.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in unauthenticated public-facing search API endpoint enables remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/vran-dev/databasir/issues/283
Exploit, Issue Tracking · cve@mitre.org
https://zeroday.endlessparadox.com/posts/cve-2025-66944/
Exploit, Third Party Advisory · cve@mitre.org