Platform
php
Component
melisplatform/melis-cms
Fixed in
5.3.4
5.3.4
CVE-2025-10351 describes a critical SQL injection vulnerability discovered in the melisplatform/melis-cms module of the Melis platform. This flaw allows attackers to execute arbitrary SQL queries, potentially leading to unauthorized access, modification, or deletion of sensitive data. The vulnerability impacts versions of Melis CMS up to and including 5.3.3, and a patch is available in version 5.3.4.
The SQL injection vulnerability in Melis CMS poses a significant threat. An attacker could exploit this flaw to extract sensitive information stored in the database, including user credentials, financial data, and proprietary business information. Beyond data exfiltration, the attacker could potentially modify or delete data, leading to data integrity issues and service disruption. Furthermore, successful exploitation could allow for privilege escalation, granting the attacker administrative access to the entire Melis CMS system. The impact is amplified if the database contains personally identifiable information (PII), potentially leading to regulatory compliance violations and reputational damage.
CVE-2025-10351 was publicly disclosed on 2025-10-08. The vulnerability's severity and ease of exploitation suggest a potential for active exploitation. Currently, there are no publicly available proof-of-concept exploits, but the SQL injection nature of the vulnerability makes it likely that such exploits will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation for CVE-2025-10351 is to immediately upgrade Melis CMS to version 5.3.4 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as input validation and sanitization on the 'idPage' parameter within the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts targeting this specific endpoint can also provide a layer of protection. Monitor application logs for suspicious SQL queries and unusual database activity. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload on the affected endpoint and verifying that it is properly sanitized.
Actualice la plataforma Melis a la versión 5.3.4 o superior. Esta actualización corrige la vulnerabilidad de inyección SQL en el módulo Melis CMS. Se recomienda realizar una copia de seguridad antes de actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10351 is a critical SQL injection vulnerability affecting Melis CMS versions up to 5.3.3, allowing attackers to manipulate databases through the 'idPage' parameter.
Yes, if you are running Melis CMS versions 5.3.3 or earlier, you are vulnerable to this SQL injection flaw.
Upgrade Melis CMS to version 5.3.4 or later. As a temporary workaround, implement input validation and WAF rules.
While no public exploits are currently available, the vulnerability's severity suggests a potential for active exploitation.
Refer to the official Melis Technology website and security advisories for the latest information and updates regarding CVE-2025-10351.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.