Cyber Resilience

CVE-2025-63532

Critical

Published: 01 December 2025

Published
01 December 2025
Modified
04 December 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0008 24.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63532 is a critical-severity SQL Injection (CWE-89) vulnerability in Shridharshukl Blood Bank Management System. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-63532 is a SQL injection vulnerability (CWE-89) affecting Blood Bank Management System 1.0, specifically within the cancel.php component. Published on 2025-12-01T16:15:55.800, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). The vulnerability arises because the application does not properly sanitize user-supplied input in SQL queries, enabling attackers to inject arbitrary SQL code through manipulation of the search field.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation alters the scope (S:C) and results in high impacts to confidentiality (C:H) and integrity (I:H), with no availability impact (A:N). By injecting SQL via the search field, the attacker can bypass authentication mechanisms and gain unauthorized access to the system.

Advisories and additional details are available in the provided references, including a Google Drive document at https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing, the Blood Bank Management System GitHub repository at https://github.com/Shridharshukl/Blood-Bank-Management-System, and a CVE-specific page at https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63532.md.

EU & UK References

Vulnerability details

A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field,…

more

an attacker can bypass authentication and gain unauthorized access to the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection vulnerability in the web application's cancel.php allows bypassing authentication and unauthorized access by exploiting a public-facing application.

CVEs Like This One

CVE-2025-63531Same product: Shridharshukl Blood Bank Management System
CVE-2025-63535Same product: Shridharshukl Blood Bank Management System
CVE-2025-63529Same product: Shridharshukl Blood Bank Management System
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89

Affected Assets

shridharshukl
blood bank management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation and sanitization of user-supplied input like the search field before inclusion in SQL queries in cancel.php.

prevent

Remediates the specific SQL injection flaw in cancel.php through identification, reporting, and correction of the unsanitized input issue.

detect

Vulnerability scanning and monitoring detects SQL injection vulnerabilities like CVE-2025-63532 in applications such as the Blood Bank Management System.

References