CVE-2025-51567
Published: 12 January 2026
Summary
CVE-2025-51567 is a critical-severity SQL Injection (CWE-89) vulnerability in Jayesh Online Exam System. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-51567 is a SQL injection vulnerability (CWE-89) affecting kashipara Online Exam System V1.0, specifically in the /exam/user/profile.php page. The flaw arises from improper handling of POST request parameters including rname, rcollage, rnumber, rgender, and rpassword, enabling remote attackers to inject and execute arbitrary SQL commands for unauthorized database access. Published on 2026-01-12, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), marking it as critical due to its network accessibility and lack of prerequisites.
Unauthenticated remote attackers can exploit the vulnerability by submitting malicious payloads via the vulnerable POST parameters to the profile update endpoint. Exploitation allows execution of arbitrary SQL commands, resulting in high-impact confidentiality and integrity violations, such as extracting sensitive data from the database or altering records, with no direct availability disruption.
A technical writeup providing further details on the vulnerability is available at https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Online%20Exam%20System/SQL%20Injection-Profile%20Update.pdf. No official vendor advisories or patches are referenced in the CVE information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1912
Vulnerability details
A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a…
more
POST HTTP request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing web application endpoint enables exploitation via T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation of untrusted POST parameters like rname, rcollage, rnumber, rgender, and rpassword before use in database queries.
Addresses the specific flaw in /exam/user/profile.php by identifying, reporting, and remediating the improper SQL handling vulnerability.
Restricts input types, lengths, and formats for vulnerable POST parameters to block common SQL injection payloads.