CVE-2025-59473
Published: 26 January 2026
Summary
CVE-2025-59473 is a high-severity SQL Injection (CWE-89) vulnerability in Expressionengine Expressionengine. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-59473 is a SQL injection vulnerability (CWE-89) in the Structure component that affects admin authenticated users. Published on 2026-01-26, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and requirements for high-privilege (admin) authentication, but no user interaction or scope change.
An attacker with admin credentials can exploit this vulnerability remotely over the network with low complexity to inject malicious SQL queries into the Structure component. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full database compromise, data exfiltration, modification, or disruption.
Mitigation details are available in the referenced advisory at https://hackerone.com/reports/3249794.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206332
Vulnerability details
SQL Injection vulnerability in the Structure for Admin authenticated user
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible web app component directly enables remote exploitation of a public-facing application (T1190) by an authenticated admin, leading to full DB compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs to the Structure component, blocking malicious SQL payloads before they reach the database.
Mandates timely remediation of the identified SQL injection flaw (CWE-89) in the admin Structure component.
Limits the database privileges granted to the admin account, reducing the confidentiality/integrity/availability impact of a successful injection.