CVE-2025-40617

CRITICAL

Bookgy - SQL Injection via IDTIPO IDPISTA IDSOCIO Parameters

Title source: llm
STIX 2.1

Description

SQL injection vulnerability in Bookgy. This vulnerability could allow an attacker to retrieve, create, update and delete databases by sending an HTTP request through the "IDTIPO", "IDPISTA" and "IDSOCIO" parameters in /bkg_seleccionar_hora_ajax.php.

References (1)

Core 1

Scores

CVSS v3 9.8
EPSS 0.0033
EPSS Percentile 24.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
bookgy/bookgy
Published Apr 29, 2025
Tracked Since Feb 18, 2026