CVE-2025-9140
MEDIUM51mis Lingdang Crm < 8.6.5.4 - Injection
Title source: ruleDescription
A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 8.6.5.4 can resolve this issue. The affected component should be upgraded. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+."
Exploits (1)
exploitdb
WORKING POC
by Beatriz Fresno Naumova · textwebappsmultiple
https://www.exploit-db.com/exploits/52420
References (5)
Scores
CVSS v3
6.3
EPSS
0.0012
EPSS Percentile
30.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-74
CWE-89
Status
published
Products (1)
51mis/lingdang_crm
< 8.6.5.4
Published
Aug 19, 2025
Tracked Since
Feb 18, 2026