CVE Catalog

CVE-2025-50567

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.69%

48th percentile - higher than 48% of all known CVEs

Summary

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.

Risk Assessment

An attacker can remotely execute arbitrary PHP code on the server, leading to full compromise of the CMS system, data theft, or further attacks on the infrastructure.

Recommendation

Immediately update Saurus CMS to the latest version that removes the use of the /e modifier in preg_replace() and employs secure SQL query parameterization methods.

Original NVD description (English source)

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS