CVE-2025-7886

MEDIUM EPSS 29.5%

Published Jul 20, 202511mo ago · Modified Jun 17, 20261w ago

5.5 CVSS 4.0

Medium

Published Jul 20, 2025 11mo ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability, which was classified as critical, was found in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. This affects the function getUserLanguage of the file classes/class.database.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

Base Score

5.5

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

29.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-74

CWE-89 SQL Injection Injection

References 4

asciinema.org https://asciinema.org/a/3wu3WGpnrnMc2GDvSyLUqqHUF
vuldb.com https://vuldb.com/?ctiid.317001
vuldb.com https://vuldb.com/?id.317001
vuldb.com https://vuldb.com/?submit.614534

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.