High severity7.3NVD Advisory· Published Aug 14, 2025· Updated Apr 29, 2026

CVE-2025-8987

Description

SQL injection in SourceCodester COVID 19 Testing Management System 1.0 via the remark parameter in /test-details.php allows remote unauthenticated attackers to execute arbitrary SQL queries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in SourceCodester COVID 19 Testing Management System 1.0 via the remark parameter in /test-details.php allows remote unauthenticated attackers to execute arbitrary SQL queries.

Vulnerability

Description

CVE-2025-8987 is a SQL injection vulnerability in the SourceCodester COVID 19 Testing Management System version 1.0. The flaw exists in the /test-details.php file, where the MULTIPART remark parameter is directly incorporated into SQL queries without proper sanitization or validation. This allows an attacker to inject malicious SQL code by manipulating the remark parameter[1].

Exploitation

The vulnerability can be triggered remotely without requiring authentication.[1] The provided proof-of-concept demonstrates a time-based blind SQL injection technique using MySQL's SLEEP function. An attacker can send a crafted POST request with a malicious remark parameter to exploit the vulnerability, enabling them to infer information from the database based on response timing.

Impact

Successful exploitation can lead to unauthorized access to the database, potentially allowing extraction of sensitive data, modification or deletion of records, and in severe cases, full system control. The vendor has not released a patch, and a public exploit is available, increasing the risk of active attacks.

Mitigation

No official patch or workaround has been released by the vendor. Users should consider restricting network access to the application and applying input validation or upgrading to a secure version if available.

References

sourcecodester COVID 19 Testing Management System Project V1.0 /test-details.php SQL injection

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Unyasoft/Covid19 Testing Management System
cpe:2.3:a:unyasoft:covid19_testing_management_system:1.0:*:*:*:*:*:*:*
Phpgurukul/Covid19 Testing Management Systemllm-fuzzy
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/zhuyi-hz/cve/issues/4nvdExploitIssue TrackingThird Party Advisory
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry
www.sourcecodester.comnvdProduct

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.07%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-8987