CVE-2025-12462
Received Received - Intake
Blind SQL Injection in DobryCMS Allows Remote Data Access

Publication date: 2026-03-02

Last updated on: 2026-03-31

Assigner: CERT.PL

Description
A Blind SQL injection vulnerability has been identified in DobryCMS. Β A remote unauthenticated attacker is able to inject SQL syntax into URL path in multiple parameters resulting in Blind SQL Injection. This issue was fixed in versions above 8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12462
EUVD
EUVD-2025-208153
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
studio_fabryka dobrycms to 8.0 (exc)
studio_fabryka dobrycms to 5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-12462 is a Blind SQL Injection vulnerability found in DobryCMS software developed by Studio Fabryka. It affects all versions up to 8.0. The vulnerability allows a remote, unauthenticated attacker to inject arbitrary SQL queries through the URL path.'}, {'type': 'paragraph', 'content': "Because it is a Blind SQL Injection, the attacker can manipulate the database queries without directly seeing the results, but can infer information based on the application's behavior."}, {'type': 'paragraph', 'content': 'This issue was fixed in versions above 8.0.'}] [1]

Impact Analysis

This vulnerability can allow a remote attacker to execute arbitrary SQL queries on the DobryCMS database without authentication.

Potential impacts include unauthorized access to sensitive data, data leakage, data modification, or even deletion of data stored in the database.

Since the attacker can inject SQL commands, it may lead to a full compromise of the database, affecting the confidentiality, integrity, and availability of the data.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing for Blind SQL Injection in the URL path of DobryCMS instances up to version 8.0. This involves sending crafted HTTP requests with SQL syntax injected into the URL path and observing the responses for signs of SQL injection behavior.'}, {'type': 'paragraph', 'content': 'A common approach is to use tools like curl or specialized SQL injection testing tools to send requests with payloads designed to trigger different responses based on the injected SQL.'}, {'type': 'list_item', 'content': 'Example curl command to test for Blind SQL Injection: curl -i "http://target/dobrycms/path\' AND 1=1--"'}, {'type': 'list_item', 'content': 'Followed by: curl -i "http://target/dobrycms/path\' AND 1=2--" to compare responses and detect differences indicating injection.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade DobryCMS to a version above 8.0, where this Blind SQL Injection vulnerability has been fixed.

Until the upgrade can be performed, consider implementing web application firewall (WAF) rules to block suspicious SQL injection attempts in URL paths.

Additionally, restrict access to the affected application where possible and monitor logs for unusual URL requests that may indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart