CVE-2025-15496
critical
CVSS v3
9.8
CVSS v2
6.5
VIR risk
9.8
Description
A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cna@vuldb.com — https://github.com/guchengwuyue/yshopmall/issues/39#issue-3769727898
Vendor advisory: cna@vuldb.com — https://github.com/guchengwuyue/yshopmall/issues/39
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| guchengwuyue | yshopmall | {"endIncluding":"1.9.1"} | |
References
- https://github.com/guchengwuyue/yshopmall/
- https://github.com/guchengwuyue/yshopmall/issues/39
- https://github.com/guchengwuyue/yshopmall/issues/39#issue-3769727898
- https://vuldb.com/?ctiid.340274
- https://vuldb.com/?id.340274
- https://vuldb.com/?submit.726464
- https://github.com/guchengwuyue/yshopmall/issues/39
- https://github.com/guchengwuyue/yshopmall/issues/39#issue-3769727898
CWEs
CWE-74 CWE-89
Verify integrity in audit chain (admin only). AS-IS.