CVE-2025-11944

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-10-19

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability was determined in givanz Vvveb up to 1.0.7.3. This affects the function Import of the file admin/controller/tools/import.php of the component Raw SQL Handler. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 52204b4a106b2fb02d16eee06a88a1f2697f9b35. It is recommended to apply a patch to fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-10-19

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2025-10-19

EPSS Evaluated

2026-06-15

NVD

CVE-2025-11944

Affected Vendors & Products

Vendor	Product	Version / Range
vvveb	vvveb	to 1.0.7.3 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

CVE-2025-11944 is a critical SQL injection vulnerability in the Vvveb CMS version 1.0.7.3 and earlier. It exists in the import functionality, specifically in the admin/controller/tools/import.php file's Raw SQL Handler component. An authenticated administrator can exploit this by uploading a malicious .sql file through the import tool, which executes the SQL commands without proper sanitization. This allows the attacker to run arbitrary SQL queries on the backend database, potentially extracting sensitive information such as administrator passwords. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by compromising the confidentiality, integrity, and availability of your system. An attacker with administrator access can exploit the SQL injection to extract sensitive data, manipulate or delete database contents, and potentially disrupt the normal operation of the application. Since the attack requires authentication but can be initiated remotely, it poses a significant risk if an attacker gains admin credentials or access. [1, 2]

Compliance Impact

The vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it risks unauthorized access to sensitive personal or protected health information stored in the database. Exploitation could lead to data breaches, violating confidentiality and data protection requirements mandated by these regulations. [2]

Detection Guidance

This vulnerability can be detected by checking if your system is running Vvveb CMS version 1.0.7.3 or earlier and if the import functionality at admin/controller/tools/import.php is accessible. You can look for signs of exploitation by monitoring for uploads of malicious .sql files via the admin panel under Tools -> Import. Additionally, you can use Google Dorking with the query `inurl:admin/controller/tools/import.php` to identify vulnerable targets. There is no specific command provided, but monitoring web server logs for POST requests to this import endpoint with .sql file uploads can help detect attempts. [1, 2]

Mitigation Strategies

The immediate mitigation step is to apply the available patch identified by commit 52204b4a106b2fb02d16eee06a88a1f2697f9b35, which removes the raw SQL import option and restricts imports to XML format only. This prevents execution of arbitrary SQL commands and mitigates the SQL injection vulnerability. Additionally, restrict access to the import functionality to trusted administrators and monitor for suspicious activity until the patch is applied. [2, 4]

Hi! I’m here to help you understand CVE-2025-11944. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-11944

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart