CVE-2025-41005
Description
Imaster's MEMS Events CRM contains an SQL injection vulnerability in‘keyword’ parameter in ‘/memsdemo/exchange_offers.php’.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Imaster MEMS Events CRM via 'keyword' parameter allows authenticated attackers to execute arbitrary SQL commands, leading to data compromise.
Imaster's MEMS Events CRM is affected by an SQL injection vulnerability in the keyword parameter of the /memsdemo/exchange_offers.php endpoint [1]. The lack of proper input sanitization allows an attacker to inject arbitrary SQL queries through this parameter, leading to backend database manipulation.
Exploitation requires low-privileged authentication (CVSS v4.0 PR:L) but no user interaction (UI:N). An authenticated attacker can send specially crafted HTTP requests to the vulnerable parameter, causing the database to execute unintended SQL commands. The attack does not require any user interaction and can be performed remotely over the network (AV:N) [1].
Successful exploitation can result in unauthorized reading, modification, or deletion of database contents. The CVSS v4.0 base score of 8.7 (High) reflects potentially high impact on confidentiality, integrity, and availability of the application [1].
As of the publication date, Imaster has not released a fix for this vulnerability [1]. Organizations using MEMS Events CRM are advised to apply input validation and restrict database permissions as temporary workarounds.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.