Cyber Resilience

CVE-2025-11251

CriticalUpdated

Published: 27 February 2026

Published
27 February 2026
Modified
04 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-11251 is a critical-severity SQL Injection (CWE-89) vulnerability in Daynex Woyio. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-4 (System Monitoring).

Deeper analysis

CVE-2025-11251 is an SQL injection vulnerability (CWE-89) stemming from improper neutralization of special elements used in an SQL command. It affects the E-Commerce Platform developed by Dayneks Software Industry and Trade Inc., with all versions through 27022026 impacted. The vulnerability was published on 2026-02-27 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows arbitrary SQL command execution, potentially enabling attackers to achieve high confidentiality, integrity, and availability impacts, such as extracting sensitive data, modifying database contents, or disrupting service.

The primary advisory is available from the Turkish National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-26-0084. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are referenced in available details. Security practitioners should isolate affected systems, apply network controls, and monitor for anomalous database activity until vendor guidance emerges.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dayneks Software Industry and Trade Inc. E-Commerce Platform allows SQL Injection. This issue affects E-Commerce Platform: through 27022026. NOTE: The vendor was contacted early about this…

more

disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated public-facing web application directly enables remote exploitation for arbitrary command execution and data impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

daynex
woyio
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input to block malformed SQL elements before they reach the database.

detect

Enables continuous monitoring and anomaly detection on database queries to identify SQL injection attempts or successful exploitation in real time.

prevent

Boundary protection mechanisms such as WAF rules or network filtering can inspect and drop malicious SQL payloads before they reach the vulnerable application.

References