High severity7.3NVD Advisory· Published Nov 17, 2025· Updated Apr 29, 2026

CVE-2025-13276

Description

A vulnerability was detected in g33kyrash Online-Banking-System up to 12dbfa690e5af649fb72d2e5d3674e88d6743455. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument Username results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An SQL injection vulnerability exists in g33kyrash/Online-Banking-System's /index.php via the Username parameter, with a public exploit available.

Root

Cause An SQL injection vulnerability has been identified in the g33kyrash/Online-Banking-System, affecting code within /index.php. The flaw lies in the handling of the Username argument, which is improperly sanitized before being used in a database query. This allows an attacker to inject arbitrary SQL commands by manipulating this parameter [1]. The project uses a rolling-release model, so specific version identifiers are not provided; however, the vulnerable state is captured in the commit 12dbfa690e5af649fb72d2e5d3674e88d6743455 [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring any prior authentication. The attack vector is straightforward: by sending a crafted HTTP request to the target's /index.php endpoint with malicious SQL payloads in the Username field, an attacker can interfere with the application's database logic [1]. The exploit has been publicly released, increasing the risk of widespread scanning and active exploitation.

Impact

Successful exploitation could allow an attacker to read, modify, or delete sensitive data stored in the database. Given the nature of an online banking system, this could include financial records, user credentials, and transaction histories. The CVSS v3 score of 7.3 (High) reflects the significant potential for confidential data exposure and system compromise.

Mitigation

As of the publication date (17 November 2025), no official patched release has been provided due to the rolling-release approach. Users and administrators of the affected system are advised to implement input validation and parameterized queries for the /index.php login form, or apply any available upstream fixes. The publicly available exploit makes immediate mitigation a priority.

References

CVE_Report/SQL.docx at main · Nianalb/CVE_Report

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Nianalb/Report Online Banking Systemreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-13276