CVE-2025-15196 – CVE-2025-15196 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-15196?

CVE-2025-15196 has a CVSS score of 7.3 (HIGH). CVE-2025-15196 is an SQL injection vulnerability in code-projects Assessment Management 1.0 that allows attackers to execute arbitrary SQL commands via the userid parameter in login.php. This can lead to unauthorized data access, modification, or deletion. Organizations using Assessment Management 1.0 are affected.

📋 TL;DR

CVE-2025-15196 is an SQL injection vulnerability in code-projects Assessment Management 1.0 that allows attackers to execute arbitrary SQL commands via the userid parameter in login.php. This can lead to unauthorized data access, modification, or deletion. Organizations using Assessment Management 1.0 are affected.

💻 Affected Systems

Products:

code-projects Assessment Management

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the login.php file specifically. Any installation with default configuration is vulnerable.

📦 What is this software?

Assessment Management by Code Projects

View all CVEs affecting Assessment Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to sensitive assessment data, user credentials, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit is publicly available and can be launched remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries in login.php.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize userid parameter before processing.

Edit login.php to validate userid input using regex or type checking

Use Parameterized Queries

all

Replace direct SQL concatenation with prepared statements.

Modify SQL queries in login.php to use parameterized queries

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict network access to the application to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Test login.php with SQL injection payloads in userid parameter (e.g., ' OR '1'='1).

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer work and proper input validation is implemented.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts with SQL-like patterns

Network Indicators:

HTTP requests to login.php with SQL injection payloads in parameters

SIEM Query:

source="web_logs" AND uri="/login.php" AND (userid CONTAINS "' OR" OR userid CONTAINS "--" OR userid CONTAINS ";")

📊 Metadata

CVE ID: CVE-2025-15196

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: December 29, 2025

Last Updated: January 7, 2026

🔗 References

https://code-projects.org/ Product
https://github.com/Limingqian123/CVE/issues/4 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.338583 Permissions Required,VDB Entry
https://vuldb.com/?id.338583 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.724718 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15196, you might also want to check these: