CVE-2025-28076

MEDIUM

EasyVirt DCScope <=8.6.4 & CO2Scope <=1.3.4 - SQL Injection

Title source: llm

Description

Multiple SQL injection vulnerabilities in EasyVirt DCScope <= 8.6.4 and CO2Scope <= 1.3.4 allows remote authenticated attackers to execute arbitrary SQL commands via the (1) timeago, (2) user, (3) filter, (4) target, (5) p1, (6) p2, (7) p3, (8) p4, (9) p5, (10) p6, (11) p7, (12) p8, (13) p9, (14) p10, (15) p11, (16) p12, (17) p13, (18) p14, (19) p15, (20) p16, (21) p17, (22) p18, (23) p19, or (24) p20 parameter to /api/management/updateihmsettings; the (25) ID, (26) NAME, (27) CPUTHREADNB, (28) RAMCAP, or (29) DISKCAP parameter to /api/capaplan/savetemplates.

References (2)

Core 2

Core References

Various Sources

https://github.com/Elymaro/CVE/blob/main/EasyVirt/CVE-2025-28076.md

View Writeup ZIP pw:eip

Various Sources

https://www.easyvirt.com/

Scores

CVSS v3 6.5

EPSS 0.0018

EPSS Percentile 39.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Published Apr 25, 2025

Tracked Since Feb 18, 2026