Cyber Resilience

CVE-2019-25529

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25529 is a high-severity SQL Injection (CWE-89) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2019-25529 is an SQL injection vulnerability (CWE-89) in Placeto CMS Alpha rv.4. The flaw resides in the admin/edit.php endpoint, where the 'page' parameter fails to properly sanitize user input, allowing attackers to inject SQL code and manipulate database queries.

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By crafting GET requests to admin/edit.php with malicious 'page' parameter values, they can employ boolean-based blind, time-based blind, or union-based SQL injection techniques to extract sensitive database information. The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), reflecting high confidentiality impact, low integrity impact, and no availability impact.

Advisories and resources include the VulnCheck advisory at https://www.vulncheck.com/advisories/placeto-cms-alpha-rv-4-sql-injection-via-page-parameter, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/46588, the project page at https://sourceforge.net/projects/placeto/, and the affected Alpha rv.4 download at https://sourceforge.net/projects/placeto/files/alpha-rv.4/placeto.zip. No patches or specific mitigation steps are detailed in the provided references.

EU & UK References

Vulnerability details

Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. Attackers can send GET requests to the admin/edit.php endpoint with malicious 'page' values using boolean-based…

more

blind, time-based blind, or union-based techniques to extract sensitive database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct SQL injection in a web application admin endpoint (admin/edit.php) enables remote exploitation of a public-facing CMS to extract database data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Sourceforge
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'page' parameter in admin/edit.php to block SQL injection payloads.

prevent

Limits the database objects and data an authenticated low-privilege user can reach even when an injection succeeds.

detect

Enables monitoring of anomalous SQL statements or excessive data returned from the edit.php endpoint.

References