SQL Injection Vulnerability in Korzh EasyQuery Query Builder UI
CVE-2025-10399

5.3MEDIUM

Key Information:

Vendor

Korzh

Status
Easyquery
Vendor
CVE Published:
14 September 2025

What is CVE-2025-10399?

A vulnerability has been discovered in Korzh EasyQuery, specifically impacting versions up to 7.4.0. This flaw resides within the Query Builder UI component, where improper handling of user inputs in the API endpoint /api/easyquery/models/nwind/fetch allows an attacker to inject malicious SQL queries. This could permit unauthorized access to the database or manipulation of sensitive data, and the potential for exploitation exists remotely. Publicly available exploit techniques increase the urgency for users to address this vulnerability promptly.

Affected Version(s)

EasyQuery 7.0

EasyQuery 7.1

EasyQuery 7.2

References

https://vuldb.com/?id.323834
vdb-entry
https://vuldb.com/?ctiid.323834
signaturepermissions-required
https://vuldb.com/?submit.646353
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

cbauhofer (VulDB User)
.
CVE-2025-10399 : SQL Injection Vulnerability in Korzh EasyQuery Query Builder UI