High severity7.3NVD Advisory· Published Jul 20, 2025· Updated Apr 29, 2026

CVE-2025-7886

Description

A vulnerability, which was classified as critical, was found in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. This affects the function getUserLanguage of the file classes/class.database.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated SQL injection in pmTicket's getUserLanguage function via user_id parameter allows remote attackers to execute arbitrary SQL commands.

Vulnerability

Overview CVE-2025-7886 describes a critical SQL injection vulnerability in pmTicket Project-Management-Software up to commit 2ef379da2075f4761a2c9029cf91d073474e7486. The flaw resides in the getUserLanguage function within classes/class.database.php, where the user_id parameter is not sanitized before being used in database queries. This allows an attacker to inject arbitrary SQL commands through the affected parameter [1].

Attack

Vector and Prerequisites The attack can be performed remotely without authentication, as demonstrated in proof-of-concept material [1]. No special privileges are required to exploit this vulnerability. The product follows a rolling release model, which complicates the identification of exact affected versions, but any installation prior to the patched commit is vulnerable.

Impact

Successful exploitation of this SQL injection vulnerability could lead to unauthorized access to the underlying database, potentially allowing attackers to retrieve, modify, or delete sensitive data. The CVSS v3 score of 7.3 (High) reflects the severity of the integrity and confidentiality impacts [1].

Mitigation

Status The vendor was contacted but did not respond, and no official advisory or patch has been released. As a result, users of the affected software are advised to apply input validation or parameterized queries to mitigate the risk until an update becomes available. The vulnerability is considered unpatched as of the publication date [1].

References

CVE-2025-7886 - PmTicket Unauthenticated SQL Injection

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

asciinema.org/a/3wu3WGpnrnMc2GDvSyLUqqHUFnvd
vuldb.comnvd
vuldb.comnvd
vuldb.comnvd

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.17%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-7886