Home > Vulnerability Database > CVE-2025-50984

Mend.io Vulnerability Database

CVE-2025-50984

Good to know:

Date: August 26, 2025

diskover-web v2.3.0 Community Edition is vulnerable to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Unsanitized user input in POST parameters such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE and others can be crafted to inject arbitrary SQLite expressions wrapped in JSON functions. By exploiting these injection points, an attacker can infer or extract sensitive information from the underlying database without authentication. This issue stems from improper input validation and parameterization in the application's JSON-based query construction.

Severity Score

8.6

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-50984

Url: https://github.com/4rdr/proofs/blob/main/info/diskover-web-v2.3.0-community-edition-sqli.md

Url: https://www.mend.io/vulnerability-database/CVE-2025-50984

Severity Score

8.6

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

Upgrade Version

Upgrade to version https://github.com/diskoverdata/diskover-community.git - null

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-50984

Good to know:

Date: August 26, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?