Cyber Resilience

CVE-2019-25713

HighPublic PoC

Published: 12 April 2026

Published
12 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25713 is a high-severity SQL Injection (CWE-89) vulnerability in Myt Project Myt. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25713 is an SQL injection vulnerability (CWE-89) in MyT-PM version 1.5.1. The issue arises from insufficient input validation of the Charge[group_total] parameter, enabling attackers to inject malicious SQL code through crafted POST requests to the /charge/admin endpoint. This allows execution of arbitrary SQL queries using error-based, time-based blind, or stacked query payloads.

Authenticated attackers with low privileges (PR:L) can exploit the vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high confidentiality impact (C:H) through extraction of sensitive database information and low integrity impact (I:L) via data manipulation, with no availability impact (A:N) and unchanged scope (S:U). The CVSS v3.1 base score is 7.1.

References include an Exploit-DB proof-of-concept (exploit 46084), a Vulncheck advisory on the SQL injection via the Charge[group_total] parameter, the MyT-PM SourceForge project page, and the official manageyourteam.net site. Security practitioners should review these sources for any patch information or mitigation recommendations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked…

more

query payloads to extract sensitive database information or manipulate data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SQL injection in web app directly enables T1190 exploitation; arbitrary queries facilitate DB data access (T1213.006) and manipulation (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13379Shared CWE-89
CVE-2026-48231Shared CWE-89
CVE-2026-30881Shared CWE-89
CVE-2026-27743Shared CWE-89
CVE-2026-40836Shared CWE-89
CVE-2025-26136Shared CWE-89
CVE-2025-22210Shared CWE-89
CVE-2026-30534Shared CWE-89
CVE-2026-39319Shared CWE-89
CVE-2026-25746Shared CWE-89

Affected Assets

myt project
myt
1.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection by requiring validation mechanisms for inputs like the Charge[group_total] parameter to block malicious SQL payloads in POST requests to /charge/admin.

prevent

Mandates identification, reporting, and correction of the specific SQL injection flaw in MyT-PM 1.5.1, including patching to eliminate the vulnerability.

prevent

Prevents information disclosure from database errors exploited in error-based SQL injection attacks via the Charge[group_total] parameter.

References