CVE-2025-70152

CVE-2025-70152 is a critical SQL injection vulnerability (CWE-89) affecting the code-projects Community Project Scholars Tracking System 1.0. The flaw resides in the admin user management endpoints /admin/save_user.php and /admin/update_user.php, which lack authentication checks and directly concatenate user-supplied POST parameters—including firstname, lastname, username, password, and user_id—into SQL queries without validation or parameterization. Published on 2026-02-18, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and comprehensive impact potential.

Any unauthenticated remote attacker can exploit this vulnerability by sending crafted POST requests to the affected endpoints, requiring no privileges or user interaction. Successful exploitation enables arbitrary SQL injection, granting high-level impacts on confidentiality (e.g., data exfiltration), integrity (e.g., user record manipulation), and availability (e.g., denial of service via destructive queries), potentially leading to full database compromise.

Mitigation guidance is available in referenced advisories, including the project source code at https://code-projects.org/scholars-tracking-system-in-php-with-source-code/ and a detailed analysis at https://youngkevinn.github.io/posts/CVE-2025-70152-Scholars-SQLi-Missing-Auth/. Practitioners should review these for patching instructions or secure coding recommendations, such as implementing parameterized queries and authentication controls.