SQL Injection Vulnerability in Travel-Agency Web Application by Ashraf Kabir
CVE-2025-13546

5.3MEDIUM

Key Information:

Vendor

Ashraf-kabir

Status
Travel-agency
Vendor
CVE Published:
23 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13546?

A vulnerability exists in the ashraf-kabir travel-agency web application, specifically within the /results.php file associated with the Search component. The flaw arises from improper handling of the 'user_query' parameter, allowing for SQL injection attacks. This vulnerability enables attackers to manipulate SQL queries remotely, potentially exposing sensitive information from the database. The exploit has been made public, emphasizing the urgent need for remediation, as information regarding unaffected releases is unavailable due to the absence of versioning in the product.

Affected Version(s)

travel-agency 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13546 - Proof of Concept

References

https://vuldb.com/?id.333313
vdb-entrytechnical-description
https://vuldb.com/?ctiid.333313
signaturepermissions-required
https://vuldb.com/?submit.691466
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

www234 (VulDB User)
JSON
.
CVE-2025-13546 : SQL Injection Vulnerability in Travel-Agency Web Application by Ashraf Kabir