SQL Injection Vulnerability in Bookgy by INCIBE
CVE-2025-40617

9.3CRITICAL

Key Information:

Vendor: Bookgy
Status: Bookgy
Vendor: CVE Published:; 29 April 2025

What is CVE-2025-40617?

An SQL injection vulnerability exists in the Bookgy application, which permits attackers to manipulate the database via crafted HTTP requests. By exploiting parameters such as "IDTIPO", "IDPISTA", and "IDSOCIO" in the /bkg_seleccionar_hora_ajax.php endpoint, unauthorized users can retrieve, create, update, or delete database entries. This vulnerability poses significant risks to data integrity and should be addressed promptly.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Bookgy all versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 29, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

David Utón Amaya (m3n0sd0n4ld)

JSON

Bookgy

What is CVE-2025-40617?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.