Critical SQLi Hits Grocery Store Management System
A critical SQL injection vulnerability, tracked as CVE-2025-63939, has been identified in anirudhkannan Grocery Store Management System version 1.0. According to the National Vulnerability Database, this flaw, stemming from improper input handling in the /Grocery/search_products_itname.php endpoint, allows attackers to inject malicious SQL queries via the sitem_name POST parameter.
This isn’t some low-priority bug; the National Vulnerability Database has assigned it a CVSS v3.1 score of 9.8, classifying it as CRITICAL. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates that it’s network-exploitable, requires low attack complexity, needs no privileges or user interaction, and can lead to complete compromise of confidentiality, integrity, and availability. Essentially, it’s a sitting duck for anyone looking to pwn a vulnerable system.
Related ATT&CK Techniques
🛡️ Detection Rules
6 rules · 5 SIEM formats6 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.
Web Application Exploitation Attempt — CVE-2025-63939
Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.
6 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get Detection Rules →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-63939 | SQLi | anirudhkannan Grocery Store Management System 1.0 |
| CVE-2025-63939 | SQLi | /Grocery/search_products_itname.php |
| CVE-2025-63939 | SQLi | POST parameter sitem_name |
| CVE-2025-63939 | SQLi | CWE-20: Improper Input Validation |
Related Posts
Critical RCE Flaw Hits NuGet Gallery Backend
CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...
BoidCMS LFI to RCE: A Critical Template Flaw
CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...
Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk
CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...