High severity7.3NVD Advisory· Published Oct 27, 2025· Updated Apr 29, 2026

CVE-2025-12277

Description

A flaw has been found in Abdullah-Hasan-Sajjad Online-School up to f09dda77b4c29aa083ff57f4b1eb991b98b68883. This affects an unknown part of the file /studentLogin.php. This manipulation of the argument Email causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An SQL injection vulnerability in Online-School's /studentLogin.php allows remote attackers to manipulate the Email parameter for unauthorized database access.

Vulnerability

An SQL injection flaw exists in the Abdullah-Hasan-Sajjad Online-School application, up to commit f09dda77b4c29aa083ff57f4b1eb991b98b68883. The issue is located in the /studentLogin.php file, where the Email argument is improperly sanitized before being used in database queries [1]. This lack of input validation allows an attacker to inject arbitrary SQL commands.

Exploitation

The attack can be carried out remotely without requiring prior authentication [1]. The exploitation of this vulnerability has been publicly published, meaning proof-of-concept code is available, which lowers the barrier for malicious actors to exploit affected instances.

Impact

Successful exploitation could allow an attacker to read, modify, or delete sensitive data from the application's database, potentially including user credentials, personal information, and other application data [1]. The CVSS v3 score of 7.3 (High) reflects the serious confidentiality, integrity, and availability risks.

Mitigation

The vendor was contacted about this disclosure but did not respond. The product uses a rolling release strategy, but no patch has been confirmed. Users should consider restricting network access to the affected endpoint or applying external input validation until a fix is released [1].

References

Reports/sql injection.doc at main · DaoYunXinShang/Reports

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

DaoYunXinShang/Reportsreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-12277