Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-44427 — SQL Injection in Rosariosis

CWE-89 — SQL Injection6 documents6 sources

Severity

9.8CRITICALNVD

EPSS

83.9%

top 0.70%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Rosariosis Francoisjacquet Rosariosis

Timeline

PublishedNov 29

Latest updateDec 2

Description

An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDrosariosis/rosariosis< 8.1.1

▶Packagistfrancoisjacquet/rosariosis< 8.1.1

🔴Vulnerability Details

GHSA

SQL Injection in rosariosis↗2021-12-02

▶

OSV

SQL Injection in rosariosis↗2021-12-02

▶

VulnCheck

rosariosis rosariosis Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗2021

▶

💥Exploits & PoCs

Nuclei

Rosario Student Information System Unauthenticated SQL Injection

▶

🕵️Threat Intelligence

Greynoiseio

NoiseLetter March 2026↗

▶