CVE-2025-15498
CRITICALPro3W CMS 1.2.0 - Unauthenticated SQL Injection via Login Form
Title source: llmDescription
Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from the vendor exact version range could not be determined, but the vulnerability should be eliminated in versions released in January 2026 and later.
References (2)
Core 2
Core References
Various Sources third-party-advisory
https://cert.pl/posts/2026/02/CVE-2025-15498
Various Sources product
https://www.pro3w.pl/
Scores
CVSS v4
9.3
EPSS
0.0047
EPSS Percentile
37.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Published
Feb 27, 2026
Tracked Since
Feb 27, 2026