CVE-2025-51667

Aliases:GHSA-f2m2-4q6r-cwc4GO-2025-3916

Advisory lineage Upstream: 0 Downstream: 2

Downstream

OPENSUSE-SU-2025:15538-1 SUSE-SU-2025:03289-1

Analyzed

Published: 27 Aug 2025, 00:00

Last modified:27 Aug 2025, 17:46

Vulnerability Summary

Overall Risk (default)

medium

38/100

CVSS Score

7 HIGH

v3.1 (cve.org)

EPSS Score

0.06% LOW

0% probability +0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

27 Aug 2025, 00:00

Published

Vulnerability first disclosed

27 Aug 2025, 17:46

Last Modified

Vulnerability information updated

Description

An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations.

CVSS Metrics

v3.1•HIGH•Score: 7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS Trends

Current EPSS score: 0.06%• Percentile: 20%

Techniques & Countermeasures

CWE-89•Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Affected Systems

github.com/suyuan32•simple-admin-core
≥ 1.2.0, < 1.6.8
ryansu•simple_admin
≥ 1.2.0, ≤ 1.6.7