Cyber Resilience

CVE-2025-15498

Critical

Published: 27 February 2026

Published
27 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15498 is a critical-severity SQL Injection (CWE-89) vulnerability in Cert (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to…

more

lack of response from the vendor exact version range could not be determined, but the vulnerability should be eliminated in versions released in January 2026 and later.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-26709Shared CWE-89
CVE-2026-24956Shared CWE-89
CVE-2021-47980Shared CWE-89
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89

Affected Assets

Cert
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References