{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-57146", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T14:04:43.136Z", "dateReserved": "2025-08-17T00:00:00.000Z", "datePublished": "2025-09-03T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:04:43.136Z"}, "descriptions": [{"lang": "en", "value": "phpgurukul Complaint Management System in PHP 2.0 is vulnerable to SQL Injection in user/reset-password.php via the mobileno parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-12536/a7b1b87ee99576c"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57146.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-03T16:24:48.093108Z", "id": "CVE-2025-57146", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T14:31:58.158Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-57146", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-03T16:24:48.093108Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T16:26:21.493Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-12536/a7b1b87ee99576c"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57146.md"}], "descriptions": [{"lang": "en", "value": "phpgurukul Complaint Management System in PHP 2.0 is vulnerable to SQL Injection in user/reset-password.php via the mobileno parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:04:43.136Z"}}}, "cveMetadata": {"cveId": "CVE-2025-57146", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:04:43.136Z", "dateReserved": "2025-08-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-09-03T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:complaint_management_system:2.0:*:*:*:-:*:*:*", "matchCriteriaId": "8C6D9515-0DC3-4727-B5B5-2E6C34362BF7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpgurukul Complaint Management System in PHP 2.0 is vulnerable to SQL Injection in user/reset-password.php via the mobileno parameter."}], "id": "CVE-2025-57146", "lastModified": "2026-04-06T15:17:05.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-03T15:15:38.403", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://doc.clickup.com/3897127/p/h/3pxt7-12536/a7b1b87ee99576c"}, {"source": "cve@mitre.org", "url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57146.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:17:53.443002+00:00", "value": {"mitigation_remediation": ["Contact the vendor to obtain a patch that fixes the injection in reset-password.php and apply it as soon as possible.", "If a vendor patch is not yet available, limit access to the reset-password functionality by IP address or internal network and require additional authentication before password reset can proceed.", "Redesign the mobileno handling in reset-password.php to use a prepared statement or parameterized query and validate the mobile number against a strict regex pattern to ensure only legitimate values are accepted."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Vendor phpGurukul, Product Complaint Management System version 2.0, specifically the reset-password.php component accessed via the user/reset-password.php URL.", "description_and_impact": "The Complaint Management System built in PHP 2.0 contains a failure to sanitize the mobileno parameter in the reset-password.php script. This omission allows attackers to inject arbitrary SQL commands into the request. An attacker who succeeds could read, modify, or delete data in the underlying database, reset users\u2019 passwords, or even gain unauthorized database access. The vulnerability is an instance of injection (CWE\u201189) and could compromise confidentiality, integrity, and availability of the system\u2019s data.", "risk_and_exploitability": "The CVSS score of 8.1 denotes a high severity threat, while the EPSS score of less than 1% indicates a very low probability of exploitation under current conditions. The vulnerability is not listed in CISA\u2019s KEV catalog, but the lack of a mitigation in the code means it can be exploited if an attacker can reach the reset-password endpoint. The likely attack vector is remote over the web, requiring only an unauthenticated HTTP request with a crafted mobileno value."}}}}, "created": "2025-09-03T19:30:11.967236+00:00", "title": "SQL Injection via mobileno in reset\u2011password functionality of Complaint Management System", "updated": "2026-04-22T22:30:28.824396+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$complaint_management_system"]}