CVE-2025-15498

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from the vendor exact version range could not be determined, but the vulnerability should be eliminated in versions released in January 2026 and later.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/posts/2026/02/CVE-2025-15498
https://www.pro3w.pl/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Pro3W CMS es vulnerable a ataques de inyección SQL. La neutralización inadecuada de la entrada proporcionada en un formulario de inicio de sesión permite a un atacante no autenticado eludir la autenticación y obtener privilegios administrativos. Este problema fue identificado en la versión 1.2.0 de este software. Debido a la falta de respuesta del proveedor, no se pudo determinar el rango exacto de versiones, pero la vulnerabilidad debería ser eliminada en las versiones lanzadas en enero de 2026 y posteriores.

27 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-27 14:16

Updated : 2026-06-17 08:37

NVD link : CVE-2025-15498

Mitre link : CVE-2025-15498

CVE.ORG link : CVE-2025-15498

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-15498", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-15498", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-02-27T14:19:40.604285Z"}}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "cvd@cert.pl", "affectedData": [{"vendor": "Pro3W", "product": "Pro3W CMS", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.0"}], "defaultStatus": "unknown"}]}], "published": "2026-02-27T14:16:27.860", "references": [{"url": "https://cert.pl/posts/2026/02/CVE-2025-15498", "source": "cvd@cert.pl"}, {"url": "https://www.pro3w.pl/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Pro3W CMS if vulnerable to\u00a0SQL injection attacks.\u00a0Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges.\u00a0\n\nThis issue was identified in version 1.2.0 of this software. Due to lack of response from the vendor exact version range could not be determined, but the vulnerability should be eliminated in versions released in January 2026 and later."}, {"lang": "es", "value": "Pro3W CMS es vulnerable a ataques de inyecci\u00f3n SQL. La neutralizaci\u00f3n inadecuada de la entrada proporcionada en un formulario de inicio de sesi\u00f3n permite a un atacante no autenticado eludir la autenticaci\u00f3n y obtener privilegios administrativos.\n\nEste problema fue identificado en la versi\u00f3n 1.2.0 de este software. Debido a la falta de respuesta del proveedor, no se pudo determinar el rango exacto de versiones, pero la vulnerabilidad deber\u00eda ser eliminada en las versiones lanzadas en enero de 2026 y posteriores."}], "lastModified": "2026-06-17T08:37:54.033", "sourceIdentifier": "cvd@cert.pl"}