CVE-2019-25523

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0026 49.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25523 is a high-severity SQL Injection (CWE-89) vulnerability in Xooscripts Xoogallery. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating the cat_id parameter in cat.php against expected formats, blocking malicious SQL code injection via GET requests.

SI-2 Flaw Remediation good match

prevent

Remediates the specific SQL injection flaw in XooGallery's cat.php, eliminating the vulnerability through patching or code correction.

SC-7 Boundary Protection partial match

prevent

Boundary protection at web interfaces filters and blocks crafted GET requests with SQL injection payloads targeting the cat_id parameter.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (T1190) enables unauthenticated remote exploitation; allows arbitrary database queries for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to cat.php with malicious cat_id values to bypass authentication, extract sensitive data,…

or modify database contents.

Deeper analysisAI

CVE-2019-25523 is an SQL injection vulnerability (CWE-89) in XooGallery Latest, affecting the cat.php component through the cat_id parameter. This flaw enables attackers to inject malicious SQL code into database queries via GET requests. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact. It was published on 2026-03-12.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by sending crafted GET requests to cat.php containing malicious values in the cat_id parameter. Successful exploitation allows bypassing authentication, extracting sensitive data from the database, or modifying database contents.

Advisories and exploit details are documented in references including Exploit-DB (https://www.exploit-db.com/exploits/46609) and VulnCheck (https://www.vulncheck.com/advisories/xoogallery-lastest-latest-sql-injection-via-cat-php), which provide proof-of-concept exploits demonstrating the SQL injection.

A public exploit is available on Exploit-DB, indicating potential for real-world abuse against unpatched XooGallery Latest installations.