Cyber Resilience

CVE-2019-25486

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 25.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25486 is a high-severity SQL Injection (CWE-89) vulnerability in Codingest (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25486 is an SQL injection vulnerability (CWE-89) affecting Varient version 1.6.1. The issue resides in the handling of the user_id parameter, which allows attackers to inject malicious SQL code into database queries via POST requests. Published on 2026-03-11, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no privileges required.

Unauthenticated attackers can exploit this vulnerability remotely by crafting POST requests with SQL payloads in the user_id field. This enables manipulation of database queries, bypassing authentication mechanisms, and extracting sensitive information from the database, with high confidentiality impact and low integrity impact.

Advisories and related resources include a Vulncheck advisory detailing the SQL injection via the user_id parameter at https://www.vulncheck.com/advisories/varient-sql-injection-via-user-id-parameter, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/47058, and the Varient website at https://varient.codingest.com/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POST requests with crafted SQL payloads in the user_id field to bypass authentication and…

more

extract sensitive database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing web application enables initial access (T1190) and extraction of sensitive data from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2025-69365Shared CWE-89
CVE-2019-25573Shared CWE-89

Affected Assets

Codingest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of information inputs such as the user_id parameter to block SQL injection payloads from manipulating database queries.

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the SQL injection vulnerability in Varient 1.6.1.

detect

RA-5 provides vulnerability scanning to detect SQL injection issues like CVE-2019-25486 in the user_id parameter for prioritized remediation.

References