High severity7.3NVD Advisory· Published Aug 20, 2025· Updated Apr 29, 2026

CVE-2025-9238

Description

A vulnerability was determined in Swatadru Exam-Seating-Arrangement up to 97335ccebf95468d92525f4255a2241d2b0b002f. Affected is an unknown function of the file /student.php of the component Student Login. Executing manipulation of the argument email can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in student.php login of Swatadru Exam-Seating-Arrangement allows remote unauthenticated attackers to execute arbitrary SQL commands.

Root

Cause

A SQL injection vulnerability exists in the email parameter of the /student.php login form in the Swatadru Exam-Seating-Arrangement application. User input is directly concatenated into SQL queries without prepared statements or input validation, allowing an attacker to manipulate the query [1][2]. The product uses rolling releases, so specific affected versions are not identified, but the issue was confirmed in the latest tested commit up to 97335ccebf95468d92525f4255a2241d2b0b002f.

Exploitation

The attack is remotely exploitable without authentication. An attacker submits a malicious payload in the email parameter, such as admin@gmail.com', which breaks out of the query's syntax [1]. Tools like SQLMap can automate database enumeration and exploitation using a captured HTTP POST request [1]. The vendor was contacted but did not respond [1].

Impact

Successful exploitation can lead to authentication bypass (including admin-level access), exfiltration of sensitive student and exam data, modification or deletion of database contents, and potential escalation to full server compromise depending on database privileges [1].

Mitigation

As of the disclosure date, no official patch or advisory has been released. Users are advised to immediately apply input validation, use parameterized queries or prepared statements, and monitor the repository for future updates. The vulnerability is publicly documented with working proof-of-concept code and is listed on no known KEV at this time.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.05%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-9238