Scan free
HIGHCVE-2025-9926CVSS 7.3

CVE-2025-9926: SQL Injection in Travel Management System

Platform

php

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-9926 identifies a SQL Injection vulnerability within the Travel Management System, version 1.0. This flaw allows attackers to manipulate database queries through the 't1' parameter in the /viewsubcategory.php file, potentially compromising sensitive data. Affected users should upgrade to version 1.0.1 to mitigate this risk. A patch has been released to address the vulnerability.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-9926 could grant an attacker unauthorized access to the Travel Management System's database. This could lead to the exfiltration of sensitive user data, including personal information, financial details, and travel itineraries. Depending on the database schema, an attacker might also be able to modify or delete data, disrupt system operations, or even gain control of the underlying server. The remote nature of the vulnerability significantly expands the potential attack surface, as it can be exploited from anywhere with network access.

Exploitation Context

CVE-2025-9926 has been publicly disclosed, indicating a higher likelihood of exploitation. A public proof-of-concept may be available, further increasing the risk. The vulnerability's ease of exploitation and the potential impact make it a priority for remediation. No KEV listing or EPSS score is currently available. The vulnerability was published on 2025-09-03.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard10–15% still vulnerable

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R7.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Vendorprojectworlds
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-89CWE-74

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-9926 is to upgrade the Travel Management System to version 1.0.1, which includes a fix for the SQL Injection vulnerability. If an immediate upgrade is not feasible, consider implementing input validation and sanitization on the 't1' parameter in /viewsubcategory.php to prevent malicious SQL code from being injected. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple SQL query through the 't1' parameter and confirming that it is properly sanitized.

How to fix

Update to a patched version of the software. If no version is available, review the source code of `/viewsubcategory.php` and sanitize the input of the `t1` parameter to prevent (SQL Injection). Implement input validation and use parameterized queries.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-9926 — SQL Injection in Travel Management System?

CVE-2025-9926 is a SQL Injection vulnerability in Travel Management System version 1.0, allowing attackers to manipulate database queries via the 't1' parameter in /viewsubcategory.php.

Am I affected by CVE-2025-9926 in Travel Management System?

If you are using Travel Management System version 1.0, you are potentially affected. Upgrade to version 1.0.1 to resolve the vulnerability.

How do I fix CVE-2025-9926 in Travel Management System?

Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 't1' parameter and consider using a WAF.

Is CVE-2025-9926 being actively exploited?

CVE-2025-9926 has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.

Where can I find the official Travel Management System advisory for CVE-2025-9926?

Refer to the projectworlds website or relevant security mailing lists for the official advisory regarding CVE-2025-9926.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs