CVE-2025-15498 | THREATINT

Description

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from the vendor exact version range could not be determined, but the vulnerability should be eliminated in versions released in January 2026 and later.

PUBLISHED Reserved 2026-01-09 | Published 2026-02-27 | Updated 2026-02-27 | Assigner CERT-PL

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unknown

Any version

affected

Credits

Jacek Czepil finder

References

cert.pl/posts/2026/02/CVE-2025-15498 third-party-advisory

www.pro3w.pl/ product

cve.org (CVE-2025-15498)

nvd.nist.gov (CVE-2025-15498)

Download JSON