CVE-2025-29085

CRITICAL EXPLOITED NUCLEI

Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component

Title source: nuclei

Description

SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.

Nuclei Templates (1)

Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (1)

[Various Sources] https://gist.github.com/Cafe-Tea/bcef0d7a2bdb5ec8e0d69de852fdc900

Scores

CVSS v3 9.8

EPSS 0.2257

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-06-09

CWE

CWE-89

Status published

Products (1)

com.vip.saturn/saturn-console 0Maven

Published Apr 02, 2025

Tracked Since Feb 18, 2026