CVE-2025-52025
CRITICALAptsys gemscms_backend < 2025-05-28 - SQL Injection via GetServiceByRestaurantID Endpoint
Title source: llmDescription
An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification.
References (2)
Core 2
Core References
Product
http://aptsys.com
Third Party Advisory, Mitigation
https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39
Scores
CVSS v3
9.4
EPSS
0.0033
EPSS Percentile
24.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (1)
aptsys/gemscms_backend
< 2025-05-28
Published
Jan 23, 2026
Tracked Since
Feb 18, 2026