SQL Injection Vulnerability in Care2x 2.7 by Care2x
CVE-2019-25728

8.8HIGH

Key Information:

Vendor: Care2x
Status: Care2x
Vendor: CVE Published:; 4 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2019-25728?

Care2x version 2.7 is susceptible to multiple SQL injection vulnerabilities that allow unauthenticated attackers to exploit the ck_config cookie parameter. By crafting malicious SQL commands, attackers can manipulate requests to various endpoints such as login.php and indexframe.php, potentially divulging sensitive data stored in the database. This vulnerability underscores the importance of validating and sanitizing user inputs to safeguard against unauthorized data access.

Affected Version(s)

Care2x 2.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-25728 - Proof of Concept

References

https://www.exploit-db.com/exploits/46268

exploit

https://www.vulncheck.com/advisories/care2x-hospital-info...

third-party-advisory

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 4, 2026
👾
Exploit known to exist
Jun 4, 2026
Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Carlos Avila

CVE-2019-25728 Data

JSON