Cyber Resilience

CVE-2025-26200

HighPublic PoC

Published: 24 February 2025

Published
24 February 2025
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0133 80.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26200 is a high-severity SQL Injection (CWE-89) vulnerability in Slims Senayan Library Management System. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26200 is a SQL injection vulnerability, tracked under CWE-89, that affects SLIMS version 9.6.1. The flaw resides in the visitor_report_day.php component and is triggered through the month parameter, enabling unauthorized database manipulation.

A remote attacker with high privileges can exploit the issue over the network with low attack complexity and no user interaction required. Successful exploitation yields full read, write, and disruption capabilities on the affected system, corresponding to the CVSS 7.2 rating that reflects high impact across confidentiality, integrity, and availability.

The two referenced sources consist of a GitHub issue tracker entry for the SLIMS project and a technical blog post; neither supplies explicit patch details or mitigation steps in the available information. The associated EPSS scores remain low and essentially flat, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in web component directly enables remote exploitation of public-facing app for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29206Shared CWE-89
CVE-2026-6476Shared CWE-89
CVE-2026-27470Shared CWE-89
CVE-2025-24669Shared CWE-89
CVE-2026-2751Shared CWE-89
CVE-2026-24908Shared CWE-89
CVE-2026-33539Shared CWE-89
CVE-2026-30711Shared CWE-89
CVE-2025-29893Shared CWE-89
CVE-2026-22206Shared CWE-89

Affected Assets

slims
senayan library management system
9.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like the month parameter to prevent SQL injection exploitation.

prevent

Mandates timely identification, reporting, and correction of flaws such as this SQL injection vulnerability in SLIMS.

prevent

Enforces least privilege to limit the scope and impact of privilege escalation achieved via successful SQL injection.

References