CVE-2025-13546 MEDIUM

CVE-2025-13546: ashraf-kabir travel-agency Search results.php sql injection

Vendor Ashraf-Kabir

Product travel-agency

Weakness CWE-89 · SQLi

Published November 23, 2025

Last update November 24, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was detected in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected by this issue is some unknown functionality of the file /results.php of the component Search. The manipulation of the argument user_query results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.

Key dates

02Disclosure timeline

November 23, 2025 CVE published

November 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13546

Related vulnerabilities

Identifiers

CVE CVE-2025-13546

CWE CWE-89

CVSS 5.3 / MEDIUM

Affected versions