SQL Injection Vulnerability in pmTicket Project-Management Software
CVE-2025-7886

6.9MEDIUM

Key Information:

Vendor: Pmticket
Status: Project-management-software
Vendor: CVE Published:; 20 July 2025

What is CVE-2025-7886?

A SQL injection vulnerability exists in the pmTicket Project-Management Software, specifically within the getUserLanguage function in the class.database.php file. By manipulating the user_id argument, an attacker can execute malicious SQL queries, potentially compromising the system's database. This vulnerability can be exploited remotely without the need for prior authentication. The rolling release approach of pmTicket complicates tracking specific affected versions, as continuous updates may obscure which releases are vulnerable or patched.

Affected Version(s)

Project-Management-Software 2ef379da2075f4761a2c9029cf91d073474e7486

References

https://vuldb.com/?id.317001

vdb-entrytechnical-description

https://vuldb.com/?ctiid.317001

signaturepermissions-required

https://vuldb.com/?submit.614534

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 20, 2025
Vulnerability Reserved
Jul 19, 2025

Credit

Allan Njuguna (VulDB User)