Cyber Resilience

CVE-2019-25303

HighPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 14.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25303 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2019-25303 is a SQL injection vulnerability in TheJshen ContentManagementSystem version 1.04. The issue affects the 'id' GET parameter, which fails to properly sanitize user input, allowing attackers to manipulate database queries. Exploitation is possible via boolean-based, time-based, and UNION-based SQL injection techniques, enabling the extraction or manipulation of database information. The vulnerability is rated with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-89.

The vulnerability can be exploited by remote attackers who possess low privileges, such as authenticated users, due to the PR:L requirement in the CVSS vector. No user interaction is needed, and attacks can be launched over the network with low complexity. Successful exploitation grants high confidentiality impact through data extraction and low integrity impact via database manipulation, without disrupting availability.

Advisories and related resources include a VulnCheck advisory detailing the SQL injection in the 'id' parameter, an Exploit-DB entry (47569) with a proof-of-concept exploit, and the GitHub repository for TheJshen ContentManagementSystem. No specific patches or mitigation steps are detailed in the provided information.

EU & UK References

Vulnerability details

TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to extract or manipulate database information by crafting malicious query…

more

payloads.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing web CMS directly enables remote exploitation (T1190) and unauthorized database data extraction/manipulation (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'id' GET parameter to block boolean/time/UNION-based SQL payloads before they reach the database.

prevent

Limits the database privileges available to the low-privilege authenticated accounts that can exploit the injection, reducing the scope of data extraction or manipulation.

prevent

Requires timely remediation of the identified SQL injection flaw in the ContentManagementSystem 1.04 code.

References