{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-57149", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T14:19:08.917Z", "dateReserved": "2025-08-17T00:00:00.000Z", "datePublished": "2025-09-03T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:19:08.917Z"}, "descriptions": [{"lang": "en", "value": "phpgurukul Complaint Management System 2.0 is vulnerable to SQL Injection in /complaint-details.php via the cid parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-12476/312c6ba68f555ca"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57149.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-03T14:59:28.789946Z", "id": "CVE-2025-57149", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T15:00:23.307Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-57149", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-03T14:59:28.789946Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T14:59:48.903Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://doc.clickup.com/3897127/p/h/3pxt7-12476/312c6ba68f555ca"}, {"url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57149.md"}], "descriptions": [{"lang": "en", "value": "phpgurukul Complaint Management System 2.0 is vulnerable to SQL Injection in /complaint-details.php via the cid parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:19:08.917Z"}}}, "cveMetadata": {"cveId": "CVE-2025-57149", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:19:08.917Z", "dateReserved": "2025-08-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-09-03T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:complaint_management_system:2.0:*:*:*:-:*:*:*", "matchCriteriaId": "8C6D9515-0DC3-4727-B5B5-2E6C34362BF7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpgurukul Complaint Management System 2.0 is vulnerable to SQL Injection in /complaint-details.php via the cid parameter."}], "id": "CVE-2025-57149", "lastModified": "2026-04-06T15:17:06.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-03T15:15:38.857", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://doc.clickup.com/3897127/p/h/3pxt7-12476/312c6ba68f555ca"}, {"source": "cve@mitre.org", "url": "https://github.com/hptcybersecurity/CVE/blob/main/CVE-2025-57149.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T00:25:58.529725+00:00", "value": {"mitigation_remediation": ["Upgrade to the patched version of PHPgurukul Complaint Management System that resolves the SQL injection.", "Refactor the database interaction in complaint-details.php to use parameterized prepared statements instead of string concatenation.", "Validate the cid query parameter so that only numeric values are accepted, and reject any other input."], "summary": {"action": "Apply Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "This issue affects the PHPgurukul Complaint Management System 2.0. No other versions or vendors are known to be affected at the time of this advisory.", "description_and_impact": "The vulnerability is a classic SQL injection in the complaint-details.php endpoint of PHPgurukul\u2019s Complaint Management System 2.0. By manipulating the cid query parameter, an attacker can inject arbitrary SQL commands, allowing the reading, modification, or deletion of database data and compromising data confidentiality, integrity, and potentially availability. The weakness is classified as CWE\u201189.", "risk_and_exploitability": "The CVSS vector scores the vulnerability as 6.5, which falls in the medium range, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not included in the CISA Known Exploit Vulnerabilities catalog. Attackers can reach the flaw by sending crafted HTTP requests to complaint-details.php; authentication is not mentioned, so the exposure may be unauthenticated or require user\u2011level access. Because the flaw is in a publicly reachable web parameter, the risk surface is significant enough to warrant priority remediation."}}}}, "created": "2025-09-03T20:26:48.838500+00:00", "updated": "2026-04-28T00:30:15.462572+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$complaint_management_system"]}