CVE-2025-52390

CRITICAL

Saurus CMS Community Edition - SQL Injection

Title source: llm

Description

Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application directly concatenates user-supplied input (`$search_word`) into SQL queries without sanitization, allowing attackers to manipulate the SQL logic and potentially extract sensitive information or escalate their privileges.

References (2)

Core 2

Core References

Various Sources

https://github.com/sauruscms/Saurus-CMS-Community-Edition/blob/d886e5b0c1e2b42cd74e2184e7c81c720cd9de6b/classes/FulltextSearch.class.php#L331

View Writeup ZIP pw:eip

Various Sources

https://github.com/theharshkothari/vulnerability-research/blob/main/CVE-2025-52390.md

View Writeup ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0054

EPSS Percentile 41.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Published Aug 01, 2025

Tracked Since Feb 18, 2026