CVE-2025-44033
CRITICALaaluoxiang oa_system 1.1 - SQL Injection via AddressMapper allDirector Method
Title source: llmDescription
SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the allDirector() method declaration in src/main/java/cn/gson/oasys/mappers/AddressMapper.java
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://github.com/qkdjksfkeg/Security-Collections/blob/main/sqlinjection.md
Scores
CVSS v3
9.8
EPSS
0.0059
EPSS Percentile
43.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
aaluoxiang/oa_system
1.1
Published
Aug 29, 2025
Tracked Since
Feb 18, 2026