Critical severityGHSA Advisory· Published Oct 8, 2025· Updated Apr 15, 2026

CVE-2025-10351

Description

SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
melisplatform/melis-cmsPackagist	< 5.3.4	5.3.4

Affected products

Melisplatform/Melis CmsGHSA
Range: < 5.3.4

Patches

42d36326d9f6

Fixed injection problem

https://github.com/melisplatform/melis-cmsCrisJan 16, 2025via ghsa

commit

1 file changed · +4 −0

src/Controller/PageEditionController.php+4 −0 modified

@@ -367,6 +367,10 @@ public function getTinyTemplatesAction()
 		$success = 1;
 		$tinyTemplates = array();
 
+        if((is_null($idPage) || empty($idPage) || !is_numeric($idPage))){
+            return new JsonModel($tinyTemplates);
+        }
+
 		// No pageId, return empty array 
 		if (!empty($idPage))
 		{

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000