CVE-2025-52425

CWE-89 — SQL Injection CWE-400 — Uncontrolled Resource Consumption5 documents5 sources

Severity

9.5CRITICAL

EPSS

0.1%

top 73.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems Inc. Qumagie Qnap Qumagie

Timeline

PublishedNov 7

Description

An SQL injection vulnerability has been reported to affect QuMagie. A remote attacker can exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QuMagie 2.7.0 and later

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages2 packages

▶NVDqnap/qumagie2.6.0 — 2.7.0

▶CVEListV5qnap_systems_inc./qumagie2.7.x — 2.7.0

🔴Vulnerability Details

CVEList

QuMagie↗2025-11-07

▶

GHSA

GHSA-6f3w-7q37-9xgc: An SQL injection vulnerability has been reported to affect QuMagie↗2025-11-07

▶

📋Vendor Advisories

Microsoft

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.↗2024-02-13

▶