CVE-2025-51510

What the vulnerability is

CVE-2025-51510 is a SQL injection vulnerability found in MoonShine, a Laravel admin panel. The bug exists in the Blog → Categories page when the moonshine-tree-resource component (version < 2.0.2) is used. The component fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary SQL queries [1][3].

How it can be exploited

An attacker with access to the MoonShine admin panel's Blog → Categories page can exploit this by crafting a malicious input in a field that is processed by the moonshine-tree-resource component. No authentication bypass is described; the attacker would need to have at least low-privileged access to the admin panel. The injection occurs during a database operation on the categories resource [1][3].

Impact

Successful exploitation allows the attacker to read, modify, or delete database records beyond the intended permissions, potentially compromising the confidentiality and integrity of the application's data. The exact CVSS vector was not provided, but SQL injection typically leads to high impact on data confidentiality and availability [1][3].

Mitigation

The vulnerability is fixed in version 2.0.2 of the moonshine-tree-resource component. Users should update the component to at least 2.0.2 or later. For MoonShine versions that include this component, apply the relevant updates as soon as possible [1][3].