cbcvebase.
CVE-2025-46337
published 2025-05-01

CVE-2025-46337: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a…

PriorityP266critical10CVSS 3.1
AVNACLPRNUINSCCHIHAL
EPSS
0.64%
46.0th percentile
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.

Affected

3 ranges
VendorProductVersion rangeFixed in
adodbadodb< 5.22.95.22.9
adodbadodb-php>= 0 < 5.22.95.22.9
debianlibphp-adodb< libphp-adodb 5.21.4-1+deb12u1 (bookworm)libphp-adodb 5.21.4-1+deb12u1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered when ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data — monitor for unsanitized user input passed to this function in PHP applications using ADOdb prior to version 5.22.9
  • ·Vulnerability only affects ADOdb installations prior to version 5.22.9 connecting to PostgreSQL backends; other database backends are not affected by this specific issue
  • ·Debian bookworm and bullseye carry backported fixes at versions 5.21.4-1+deb12u1 and 5.20.19-1+deb11u2 respectively — version number alone may not indicate patch status on Debian-based systems

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
osv10.0CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.