CVE-2019-25443

HIGH

inventory-webapp - Unauthenticated SQL Injection via add-item.php Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25443. PoCs published by mohammad zaheri.

AI-analyzed exploit summary The exploit demonstrates a SQL injection vulnerability in the Inventory Webapp's add-item.php page, where user-controlled input from GET parameters is directly used in a SQL query without sanitization. The PoC shows how an attacker can inject arbitrary SQL via the 'itemquery' parameter.

Description

Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to add-item.php to execute arbitrary database commands.

Exploits (1)

exploitdb WORKING POC
by mohammad zaheri · textwebappsphp
https://www.exploit-db.com/exploits/47356

The exploit demonstrates a SQL injection vulnerability in the Inventory Webapp's add-item.php page, where user-controlled input from GET parameters is directly used in a SQL query without sanitization. The PoC shows how an attacker can inject arbitrary SQL via the 'itemquery' parameter.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Inventory Webapp (GitHub repository by edlangley)
No auth needed
Prerequisites: Access to the vulnerable endpoint /php/add-item.php
devstral-2 · analyzed Feb 22, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47356

Scores

CVSS v3 8.2
EPSS 0.0023
EPSS Percentile 14.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
edlangley/inventory-webapp
Published Feb 22, 2026
Tracked Since Feb 22, 2026