CVE-2025-8952

A vulnerability was found in Campcodes Online Flight Booking Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Published: Aug 14, 2025
Updated: Aug 15, 2025
CVE: CVE-2025-8952
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-74
CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
campcodes / online_flight_booking_management_system	1.0	1.0.x

https://vuldb.com/?ctiid.319921
https://vuldb.com/?id.319921
https://vuldb.com/?submit.627814
https://www.campcodes.com/
https://www.yuque.com/yuqueyonghuvrsrwv/dhlxlu/mlyefhpcsdan2df3?singleDoc
https://www.yuque.com/yuqueyonghuvrsrwv/dhlxlu/mlyefhpcsdan2df3#vulnerability-details-and-poc

Vulnerability Database

CVE-2025-8952

Deep Security Visibility Without the Complexity