CVE-2025-10969
Published: 12 February 2026
Summary
CVE-2025-10969 is a critical-severity SQL Injection (CWE-89) vulnerability in Farktor E-Commerce Package. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-10969 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as SQL Injection and specifically enabling Blind SQL Injection, in the E-Commerce Package from Farktor Software E-Commerce Services Inc. The issue affects all versions of the E-Commerce Package through 27112025. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts on confidentiality, integrity, and availability.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows attackers to perform Blind SQL Injection, enabling them to infer and extract sensitive data from the underlying database, modify database contents, or disrupt service availability.
The primary advisory reference is from USOM at https://www.usom.gov.tr/bildirim/tr-26-0063, which security practitioners should consult for detailed mitigation guidance, such as applying patches if available or implementing input validation and prepared statements.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207403
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection. This issue affects E-Commerce Package: through 27112025.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing e-commerce web application enables initial access via exploitation of the exposed service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs to block specially crafted SQL elements before they reach the database.
Mandates timely remediation of the identified flaw in the E-Commerce Package to eliminate the SQL injection vector.
Enables monitoring of database interactions and anomalous query patterns that would indicate attempted blind SQL injection.