{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-57147", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T14:15:59.722Z", "dateReserved": "2025-08-17T00:00:00.000Z", "datePublished": "2025-09-03T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:15:59.722Z"}, "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability was found in phpgurukul Complaint Management System 2.0. The vulnerability is due to lack of input validation of multiple parameters including fullname, email, and contactno in user/registration.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-12556/5435bb675762866"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57147.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-03T17:22:02.388167Z", "id": "CVE-2025-57147", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T17:24:39.413Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-57147", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-03T17:22:02.388167Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T17:22:48.576Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-12556/5435bb675762866"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57147.md"}], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability was found in phpgurukul Complaint Management System 2.0. The vulnerability is due to lack of input validation of multiple parameters including fullname, email, and contactno in user/registration.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:15:59.722Z"}}}, "cveMetadata": {"cveId": "CVE-2025-57147", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:15:59.722Z", "dateReserved": "2025-08-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-09-03T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:complaint_management_system:2.0:*:*:*:-:*:*:*", "matchCriteriaId": "8C6D9515-0DC3-4727-B5B5-2E6C34362BF7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability was found in phpgurukul Complaint Management System 2.0. The vulnerability is due to lack of input validation of multiple parameters including fullname, email, and contactno in user/registration.php."}], "id": "CVE-2025-57147", "lastModified": "2026-04-06T15:17:05.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-03T15:15:38.563", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://doc.clickup.com/3897127/p/h/3pxt7-12556/5435bb675762866"}, {"source": "cve@mitre.org", "url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57147.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:19:53.972459+00:00", "value": {"mitigation_remediation": ["Update to a patched version of the system", "Implement input validation and use parameterized queries for fullname, email, and contactno fields", "Deploy a web application firewall or input filter to block malicious SQL"], "summary": {"action": "Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "Customers are affected by phpgurukul Complaint Management System\u202f2.0 as identified by the CPE cpe:2.3:a:phpgurukul:complaint_management_system:2.0. The system is vulnerable whenever the registration page is reachable. No vendor patch is listed, so internal remediation or upgraded releases must be sought.", "description_and_impact": "The vulnerability is a classic SQL Injection in the registration script of the Complaint Management System\u202f2.0. The lack of input validation on fields such as fullname, email, and contactno allows an attacker to inject arbitrary SQL statements into database queries. This flaw could enable the attacker to read, modify, or delete application data, leading to loss of confidentiality or integrity of stored information.", "risk_and_exploitability": "The CVSS score of 7.5 categorizes this as a high severity flaw. However, the EPSS score is less than 1%, implying a very low probability of exploitation in the wild. The flaw is not listed in CISA's KEV catalog, indicating the threat level is currently low. Based on the description, the likely attack vector is remote via HTTP requests to the vulnerable registration endpoint, and the attack can be executed without special access privileges."}}}}, "created": "2025-09-03T20:26:47.951360+00:00", "title": "SQL Injection in Complaint Management System\u202f2.0", "updated": "2026-04-22T22:30:28.824880+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$complaint_management_system"]}