CVE-2025-11251
Published: 27 February 2026
Summary
CVE-2025-11251 is a critical-severity SQL Injection (CWE-89) vulnerability in Daynex Woyio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-4 (System Monitoring).
Deeper analysis
CVE-2025-11251 is an SQL injection vulnerability (CWE-89) stemming from improper neutralization of special elements used in an SQL command. It affects the E-Commerce Platform developed by Dayneks Software Industry and Trade Inc., with all versions through 27022026 impacted. The vulnerability was published on 2026-02-27 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows arbitrary SQL command execution, potentially enabling attackers to achieve high confidentiality, integrity, and availability impacts, such as extracting sensitive data, modifying database contents, or disrupting service.
The primary advisory is available from the Turkish National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-26-0084. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are referenced in available details. Security practitioners should isolate affected systems, apply network controls, and monitor for anomalous database activity until vendor guidance emerges.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208137
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Commerce Platform allows SQL Injection. This issue affects E-Commerce Platform: through 27022026. NOTE: The vendor was contacted early about this…
more
disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web application directly enables remote exploitation for arbitrary command execution and data impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input to block malformed SQL elements before they reach the database.
Enables continuous monitoring and anomaly detection on database queries to identify SQL injection attempts or successful exploitation in real time.
Boundary protection mechanisms such as WAF rules or network filtering can inspect and drop malicious SQL payloads before they reach the vulnerable application.