CVE-2025-26200 – This SQL injection vulnerability in SLIMS v9.6.... (How to Fix)

Q: What is the severity of CVE-2025-26200?

CVE-2025-26200 has a CVSS score of 7.2 (HIGH). This SQL injection vulnerability in SLIMS v9.6.1 allows remote attackers to execute arbitrary SQL commands via the month parameter in visitor_report_day.php. Successful exploitation could lead to privilege escalation, data theft, or complete system compromise. All organizations running vulnerable SLIMS versions are affected.

📋 TL;DR

This SQL injection vulnerability in SLIMS v9.6.1 allows remote attackers to execute arbitrary SQL commands via the month parameter in visitor_report_day.php. Successful exploitation could lead to privilege escalation, data theft, or complete system compromise. All organizations running vulnerable SLIMS versions are affected.

💻 Affected Systems

Products:

SLIMS (Senayan Library Management System)

Versions: Version 9.6.1 specifically mentioned, potentially earlier versions with similar code

Operating Systems: Any OS running SLIMS (typically Linux/Windows with Apache/PHP)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SLIMS installation with visitor_report_day.php component accessible. Default installations are vulnerable.

📦 What is this software?

Senayan Library Management System by Slims

View all CVEs affecting Senayan Library Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation to administrative access, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized access to sensitive library patron data, modification of library records, and privilege escalation to gain administrative control of the SLIMS system.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via web interface, making internet-facing instances particularly vulnerable to automated attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the SLIMS instance.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of SQL injection techniques and SLIMS database structure. The month parameter manipulation is the attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for specific patched version

Vendor Advisory: https://github.com/slims/slims9_bulian/issues/269

Restart Required: No

Instructions:

1. Check the GitHub issue for patch details. 2. Update to the latest SLIMS version. 3. Apply input validation/sanitization to month parameter. 4. Test the visitor_report_day.php functionality.

🔧 Temporary Workarounds

Input Validation Workaround

all

Add server-side validation to ensure month parameter contains only numeric values

Modify visitor_report_day.php to validate $_GET['month'] with is_numeric() or regex matching

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns in month parameter

Add WAF rule: Detect SQL keywords in month parameter (SELECT, UNION, INSERT, etc.)

🧯 If You Can't Patch

Disable or restrict access to visitor_report_day.php component
Implement strict database user permissions with least privilege principle

🔍 How to Verify

Check if Vulnerable:

Test month parameter with SQL injection payloads like ' OR '1'='1 and observe database errors or unexpected behavior

Check Version:

Check SLIMS version in admin panel or review SLIMS configuration files for version information

Verify Fix Applied:

Attempt SQL injection tests on month parameter; successful fix should reject malicious input and show proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts followed by visitor_report_day.php access
Suspicious month parameter values containing SQL keywords

Network Indicators:

HTTP requests to visitor_report_day.php with SQL injection patterns in parameters
Unusual database query patterns from web server IP

SIEM Query:

web.url: "*visitor_report_day.php*" AND (web.param: "*SELECT*" OR web.param: "*UNION*" OR web.param: "*OR 1=1*")

📊 Metadata

CVE ID: CVE-2025-26200

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.18% exploit probability (40th percentile)

Published: February 24, 2025

Last Updated: May 1, 2025

🔗 References

https://github.com/slims/slims9_bulian/issues/269 Exploit,Issue Tracking,Vendor Advisory
https://mebroccoli.blogspot.com/2025/02/cve2.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26200, you might also want to check these: