CVE-2025-12462

A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path in multiple parameters resulting in Blind SQL Injection. This issue was fixed in versions above 8.0.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/posts/2026/03/CVE-2025-12462/

Configurations

No configuration.

History

31 Mar 2026, 12:16

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad de inyección SQL ciega en DobryCMS. Un atacante remoto no autenticado puede inyectar sintaxis SQL en la ruta URL, lo que resulta en una inyección SQL ciega. Este problema fue corregido en versiones superiores a la 8.0.
Summary	(en) A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path resulting in Blind SQL Injection. This issue was fixed in versions above 8.0.	(en) A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path in multiple parameters resulting in Blind SQL Injection. This issue was fixed in versions above 8.0.

02 Mar 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-02 13:16

Updated : 2026-06-17 08:32

NVD link : CVE-2025-12462

Mitre link : CVE-2025-12462

CVE.ORG link : CVE-2025-12462

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-12462", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-12462", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T15:17:24.247055Z"}}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "cvd@cert.pl", "affectedData": [{"vendor": "Studio Fabryka", "product": "DobryCMS", "versions": [{"status": "affected", "version": "0", "lessThan": "8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}]}], "published": "2026-03-02T13:16:03.973", "references": [{"url": "https://cert.pl/posts/2026/03/CVE-2025-12462/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "A Blind SQL injection vulnerability has been identified in DobryCMS. \u00a0A remote unauthenticated attacker is able to inject SQL syntax into URL path in multiple parameters resulting in Blind SQL Injection.\n\nThis issue was fixed in versions above 8.0."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de inyecci\u00f3n SQL ciega en DobryCMS. Un atacante remoto no autenticado puede inyectar sintaxis SQL en la ruta URL, lo que resulta en una inyecci\u00f3n SQL ciega.\n\nEste problema fue corregido en versiones superiores a la 8.0."}], "lastModified": "2026-06-17T08:32:25.643", "sourceIdentifier": "cvd@cert.pl"}