CVE-2019-25260 HIGH

CVE-2019-25260: OXID eShop 6.3.4 - 'sorting' SQL Injection

Vendor Oxid-Esales
Product OXID eShop
Weakness CWE-89 · SQLi
Published February 3, 2026
Last update February 4, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
February 4, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-4925 SourceCodester School Intramurals Student Attendance Management System manage_course.php sql injection CVE-2025-2927 ESAFENET CDG getFileTypeList.jsp sql injection CVE-2016-6566 The Sungard eTRAKiT3 software version 3.2.1.17 may be vulnerable to SQL injection which may allow a remote unauthenticated attacker to run a subset of SQL commands against the back-end database CVE-2024-8762 code-projects Crud Operation System updatedata.php sql injection CVE-2025-11422 Campcodes Advanced Online Voting Management System login.php sql injection