CVE-2025-69768
Published: 16 March 2026
Summary
CVE-2025-69768 is a high-severity SQL Injection (CWE-89) vulnerability in Chyrp Chyrp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69768 is a SQL injection vulnerability (CWE-89) affecting Chyrp versions 2.5.2 and earlier. The flaw resides in the Admin.php component, enabling a remote attacker to execute arbitrary SQL queries. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.
A remote, unauthenticated attacker can exploit this vulnerability by sending crafted requests to the vulnerable Admin.php endpoint, allowing them to extract sensitive information from the database, such as user credentials or other confidential data stored by the Chyrp application.
References include the official Chyrp GitHub repository at https://github.com/chyrp/chyrp, a specific code location in Admin.php at https://github.com/chyrp/chyrp/blob/768dd2f7/includes/controller/Admin.php#L1482, and a security analysis at https://swetha-subramanian6.github.io/web%20security/cve/chyrp-sqli-cve/. No patches or mitigations are detailed in the provided CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208757
Vulnerability details
SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of a public-facing web application component (Admin.php) via SQL injection for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all inputs to the Admin.php component, directly preventing SQL injection attacks like CVE-2025-69768.
Mandates timely identification, reporting, and remediation of flaws such as the SQL injection vulnerability in Chyrp Admin.php.
Enforces access control policies to restrict unauthenticated remote access to the vulnerable Admin.php endpoint.