Login Sign Up

CVE-2025-14959

7.3 HIGH
SQL Injection

📋 TL;DR

CVE-2025-14959 is an SQL injection vulnerability in Simple Stock System 1.0 that allows remote attackers to execute arbitrary SQL commands through the Username parameter in /market/signup.php. This affects all users running the vulnerable version of this software, potentially leading to data theft, manipulation, or system compromise.

💻 Affected Systems

Products:
  • Simple Stock System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /market/signup.php endpoint specifically; requires the application to be installed and accessible.

📦 What is this software?

Simple Stock System by Carmelo

View all CVEs affecting Simple Stock System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, or deletion; potential remote code execution if database permissions allow; full system takeover.

🟠

Likely Case

Unauthorized access to sensitive stock data, user credentials theft, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available; attack can be launched remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries in /market/signup.php or migrating to a supported alternative.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for the Username parameter

Modify /market/signup.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords in Username parameter

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test the /market/signup.php endpoint with SQL injection payloads in the Username parameter

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection attempts are rejected

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from web application
  • Multiple failed signup attempts with SQL keywords
  • Database error messages in application logs

Network Indicators:

  • HTTP POST requests to /market/signup.php containing SQL injection patterns
  • Unusual database traffic from web server

SIEM Query:

source="web_logs" AND uri="/market/signup.php" AND (Username CONTAINS "' OR" OR Username CONTAINS "UNION" OR Username CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2025-14959
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: December 19, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14959, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)