CVE-2025-10846

MEDIUM

Portabilis i-educar < 2.10.0 - SQL Injection via ComponenteCurricular Edit ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10846. PoCs published by KarinaGante.

AI-analyzed exploit summary The repository contains a detailed technical writeup for CVE-2025-10846, focusing on a directory traversal vulnerability in a web application. It includes step-by-step exploitation details, screenshots, and a proof-of-concept demonstrating how to access sensitive files like `/etc/passwd` and `flag.txt` via path manipulation.

Description

A vulnerability was determined in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /module/ComponenteCurricular/edit. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Exploits (1)

github WRITEUP
by KarinaGante · htmlpoc
https://github.com/KarinaGante/KG-Sec/tree/main/CVEs/i-Educar/CVE-2025-10846.md

The repository contains a detailed technical writeup for CVE-2025-10846, focusing on a directory traversal vulnerability in a web application. It includes step-by-step exploitation details, screenshots, and a proof-of-concept demonstrating how to access sensitive files like `/etc/passwd` and `flag.txt` via path manipulation.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Unknown (TryHackMe Lo-Fi room)
No auth needed
Prerequisites: Access to the vulnerable web application
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.325208
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.325208
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.657691

Scores

CVSS v3 6.3
EPSS 0.0039
EPSS Percentile 30.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-74 CWE-89
Status published
Products (1)
portabilis/i-educar < 2.10.0
Published Sep 23, 2025
Tracked Since Feb 18, 2026