CVE-2025-60797

CVE Database · CVE-2025-60797

CVE-2025-60797

· MEDIUMAnalyzed

CVSS v3.1

6.5

EPSS

0.22%

Published

Nov 20, 2025

Modified

Nov 25, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-89

Affected Products (1)

phppgadmin_project · phppgadminvulnerable

References (2)

https://github.com/phppgadmin/phppgadmin/blob/master/dataexport.php#L118

Product

https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.md

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs