Scan free
CRITICALCVE-2025-10266CVSS 9.8

CVE-2025-10266: SQL Injection in NUP Portal

Platform

other

Component

nup-portal

Fixed in

5.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-10266 describes a critical SQL Injection vulnerability discovered in the NUP Portal developed by NewType Infortech. This vulnerability allows unauthenticated remote attackers to inject arbitrary SQL commands, leading to unauthorized access and manipulation of sensitive data. Versions 0 through SP5.0 are affected. A patch is available in version 5.0.1.

Impact and Attack Scenarios

The impact of this SQL Injection vulnerability is severe. An attacker could leverage it to bypass authentication and gain complete control over the NUP Portal's database. This includes the ability to read confidential user data (usernames, passwords, personal information), modify critical system configurations, and even delete entire database tables. Successful exploitation could lead to a complete compromise of the system and significant data loss. The potential for lateral movement within the network depends on the database's permissions and connectivity to other systems, but the initial breach point is highly impactful.

Exploitation Context

CVE-2025-10266 has been publicly disclosed and assigned a CRITICAL CVSS score of 9.8. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of SQL Injection exploitation suggests a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability are not yet confirmed, but the severity warrants immediate attention and proactive security measures.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.12% (32% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentnup-portal
VendorNewType Infortech
Affected rangeFixed in
0 – SP5.05.0.1

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-10266 is to immediately upgrade the NUP Portal to version 5.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing temporary workarounds. These may include restricting network access to the NUP Portal, implementing strict input validation on all user-supplied data, and deploying a Web Application Firewall (WAF) with SQL Injection protection rules. Regularly review database user permissions to minimize the potential damage from a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection attack on a non-critical endpoint.

How to fix

Update NUP Portal to a version later than SP5.0 that fixes the SQL Injection (SQL Injection) vulnerability. Refer to the vendor's website, NewType Infortech, for the latest version and update instructions. Apply security updates as soon as they are available.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-10266 — SQL Injection in NUP Portal?

CVE-2025-10266 is a critical SQL Injection vulnerability affecting NUP Portal versions 0–SP5.0, allowing attackers to manipulate the database.

Am I affected by CVE-2025-10266 in NUP Portal?

If you are using NUP Portal versions 0 through SP5.0, you are vulnerable. Upgrade to version 5.0.1 or later to mitigate the risk.

How do I fix CVE-2025-10266 in NUP Portal?

The recommended fix is to upgrade to version 5.0.1 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and input validation.

Is CVE-2025-10266 being actively exploited?

While no active campaigns are confirmed, the vulnerability's severity suggests a high probability of exploitation. Proactive mitigation is crucial.

Where can I find the official NUP Portal advisory for CVE-2025-10266?

Refer to the NewType Infortech website or security advisories for the official advisory regarding CVE-2025-10266.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs