CVE-2019-25486

HIGH

Varient 1.6.1 - Unauthenticated SQL Injection via user_id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25486. PoCs published by Mehmet EMIROGLU.

AI-analyzed exploit summary The exploit demonstrates a SQL injection vulnerability in Varient 1.6.1 via the 'user_id' parameter in a POST request. The attack pattern bypasses authentication and manipulates the SQL query to inject arbitrary conditions.

Description

Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. Attackers can submit POST requests with crafted SQL payloads in the user_id field to bypass authentication and extract sensitive database information.

Exploits (1)

exploitdb WORKING POC
by Mehmet EMIROGLU · textwebappsmultiple
https://www.exploit-db.com/exploits/47058

The exploit demonstrates a SQL injection vulnerability in Varient 1.6.1 via the 'user_id' parameter in a POST request. The attack pattern bypasses authentication and manipulates the SQL query to inject arbitrary conditions.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Varient v1.6.1
No auth needed
Prerequisites: Access to the target web application · Ability to send crafted POST requests
devstral-2 · analyzed Mar 12, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47058
Various Sources product
https://varient.codingest.com/

Scores

CVSS v3 8.2
EPSS 0.0033
EPSS Percentile 25.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Varient/Varient SQL Inj. 1.6.1
Published Mar 11, 2026
Tracked Since Mar 12, 2026