CVE-2025-50567
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk48th percentile - higher than 48% of all known CVEs
Summary
Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.
Risk Assessment
An attacker can remotely execute arbitrary PHP code on the server, leading to full compromise of the CMS system, data theft, or further attacks on the infrastructure.
Recommendation
Immediately update Saurus CMS to the latest version that removes the use of the /e modifier in preg_replace() and employs secure SQL query parameterization methods.
Original NVD description (English source)
Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.

