Platform
php
Component
resourcespace
Fixed in
8.6.1
CVE-2019-25693 describes a SQL injection vulnerability discovered in ResourceSpace version 8.6. This flaw allows authenticated attackers to inject malicious SQL code through the 'keywords' parameter within the collection_edit.php file, potentially leading to unauthorized data access and manipulation. The vulnerability was published on 2026-04-12 and a fix is available in a patched version of ResourceSpace.
Successful exploitation of CVE-2019-25693 allows an attacker to bypass authentication and directly inject SQL queries into the ResourceSpace database. This can result in the extraction of sensitive information, including database schema details, user credentials (usernames and passwords), and other confidential data stored within the database. The attacker could potentially modify or delete data, leading to data integrity issues and disruption of service. While the vulnerability requires authentication, a compromised user account could be leveraged to gain access and execute these attacks.
CVE-2019-25693 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits for this vulnerability are not widely available, suggesting limited active exploitation. The vulnerability was disclosed on 2026-04-12.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25693 is to upgrade ResourceSpace to a version containing a patch that addresses the SQL injection vulnerability. If upgrading immediately is not possible, consider implementing strict input validation on the 'keywords' parameter in collection_edit.php to sanitize user-supplied input. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can also provide a layer of defense. Regularly review database access logs for suspicious activity. After upgrade, confirm the vulnerability is resolved by attempting a SQL injection payload through the keywords parameter and verifying that it is properly sanitized.
Update ResourceSpace to a patched version. Consult the official ResourceSpace documentation or website for specific instructions on how to update and apply security patches.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25693 is a SQL injection vulnerability in ResourceSpace 8.6 that allows authenticated attackers to execute SQL queries through the keywords parameter, potentially exposing sensitive data.
If you are running ResourceSpace version 8.6 and have not applied a patch, you are potentially affected by this vulnerability. Authentication is required to exploit it.
Upgrade ResourceSpace to a patched version that addresses the SQL injection vulnerability. Input validation and WAF rules can provide temporary mitigation.
There is currently no widespread evidence of active exploitation of CVE-2019-25693, but it remains a significant risk.
Refer to the ResourceSpace security advisories page for the latest information and updates regarding CVE-2019-25693.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.