CVE-2025-52390

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-52390

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

S

aurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application directly concatenates user-supplied input (`$search_word`) into SQL queries without sanitization, allowing attackers to manipulate the SQL logic and potentially extract sensitive information or escalate their privileges.

References
Link Resource
https://github.com/sauruscms/Saurus-CMS-Community-Edition/blob/d886e5b0c1e2b42cd74e2184e7c81c720cd9de6b/classes/FulltextSearch.class.php#L331
https://github.com/theharshkothari/vulnerability-research/blob/main/CVE-2025-52390.md
Configurations

No configuration.

History

04 Aug 2025, 15:06

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-01 16:15

Updated : 2025-08-04 15:06

NVD link : CVE-2025-52390

Mitre link : CVE-2025-52390

CVE.ORG link : CVE-2025-52390

JSON object : View

Products Affected

No product.

CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')