Cyber Resilience

CVE-2025-51567

CriticalPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0035 27.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-51567 is a critical-severity SQL Injection (CWE-89) vulnerability in Jayesh Online Exam System. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-51567 is a SQL injection vulnerability (CWE-89) affecting kashipara Online Exam System V1.0, specifically in the /exam/user/profile.php page. The flaw arises from improper handling of POST request parameters including rname, rcollage, rnumber, rgender, and rpassword, enabling remote attackers to inject and execute arbitrary SQL commands for unauthorized database access. Published on 2026-01-12, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), marking it as critical due to its network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit the vulnerability by submitting malicious payloads via the vulnerable POST parameters to the profile update endpoint. Exploitation allows execution of arbitrary SQL commands, resulting in high-impact confidentiality and integrity violations, such as extracting sensitive data from the database or altering records, with no direct availability disruption.

A technical writeup providing further details on the vulnerability is available at https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Online%20Exam%20System/SQL%20Injection-Profile%20Update.pdf. No official vendor advisories or patches are referenced in the CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a…

more

POST HTTP request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated SQL injection in a public-facing web application endpoint enables exploitation via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

jayesh
online exam system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection by requiring validation of untrusted POST parameters like rname, rcollage, rnumber, rgender, and rpassword before use in database queries.

prevent

Addresses the specific flaw in /exam/user/profile.php by identifying, reporting, and remediating the improper SQL handling vulnerability.

prevent

Restricts input types, lengths, and formats for vulnerable POST parameters to block common SQL injection payloads.

References