{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-69768", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-16T18:58:26.256Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-03-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T17:17:38.253Z"}, "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/chyrp/chyrp/blob/768dd2f7/includes/controller/Admin.php#L1482"}, {"url": "https://github.com/chyrp/chyrp"}, {"url": "https://swetha-subramanian6.github.io/web%20security/cve/chyrp-sqli-cve/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T18:57:51.983812Z", "id": "CVE-2025-69768", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:58:26.256Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69768", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T18:57:51.983812Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:56:47.519Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/chyrp/chyrp/blob/768dd2f7/includes/controller/Admin.php#L1482"}, {"url": "https://github.com/chyrp/chyrp"}, {"url": "https://swetha-subramanian6.github.io/web%20security/cve/chyrp-sqli-cve/"}], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T17:17:38.253Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69768", "state": "PUBLISHED", "dateUpdated": "2026-03-16T18:58:26.256Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chyrp:chyrp:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABD0557D-2DAA-4D5E-9157-51ED66F5A393", "versionEndIncluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component"}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en Chyrp v.2.5.2 y anteriores permite a un atacante remoto obtener informaci\u00f3n sensible a trav\u00e9s del componente Admin.php"}], "id": "CVE-2025-69768", "lastModified": "2026-03-20T13:34:56.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-16T18:16:04.780", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/chyrp/chyrp"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/chyrp/chyrp/blob/768dd2f7/includes/controller/Admin.php#L1482"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://swetha-subramanian6.github.io/web%20security/cve/chyrp-sqli-cve/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.2]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "chyrp", "vendor": "chyrp"}], "analysis": {"en": {"generated_at": "2026-03-20T14:37:54.497093+00:00", "value": {"mitigation_remediation": ["Apply official patch to Chyrp once available", "If a patch is not yet released, restrict access to the Admin.php interface to trusted IPs or authenticated users only", "Continuously monitor web server logs for unusual SQL usage patterns or authentication attempts"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Databases Retrieval"}, "threat_synthesis": {"affected_systems": "Chyrp CMS (cpe:2.3:a:chyrp:chyrp:*:*:*:*:*:*:*) affected in all releases up to and including version 2.5.2. No specific patch version is listed, and the vendor is not identified.", "description_and_impact": "A SQL Injection flaw exists in the Admin.php component of Chyrp CMS version 2.5.2 and older. The vulnerability is a classic example of CWE\u201189, allowing a remote attacker to inject malicious SQL statements that can read or exfiltrate sensitive data from the database. The impact is direct data disclosure, potentially exposing user credentials, posts, or other confidential information, without providing control over the server or writable access beyond the database layer.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity. The EPSS score of less than 1% suggests a low probability of actual exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by crafting a SQL payload to the Admin.php endpoint. Successful exploitation grants read\u2011only access to the underlying database, allowing information disclosure but not arbitrary code execution."}}}}, "created": "2026-03-17T09:55:33.061702+00:00", "title": "SQL Injection in Chyrp Admin Component Allows Remote Data Retrieval", "updated": "2026-03-23T14:01:00.209743+00:00", "vendors": ["chyrp", "chyrp$PRODUCT$chyrp"]}