N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-10351

GHSA ID

GHSA-mrmx-jfw8-qhgv

EPSS Score

0.07538%

CWE

CWE-89

Published

10/8/2025

Updated

10/9/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-10351

CVE-2025-10351: Melis Platform CMS SQL Injection

SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-10351

GHSA ID

GHSA-mrmx-jfw8-qhgv

EPSS Score

0.07538%

CWE

CWE-89

Published

10/8/2025

Updated

10/9/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
melisplatform/melis-cms	composer	< 5.3.4	5.3.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security patch (commit 42d36326d9f6400b91db574483add2747af1db21) provides clear evidence of the vulnerability. The patch was applied to the src/Controller/PageEditionController.php file, specifically within the getTinyTemplatesAction function. The added code explicitly checks if the $idPage parameter is null, empty, or non-numeric. This indicates that prior to this change, the parameter was likely passed to a database query without sufficient validation, which is the root cause of the SQL injection vulnerability as described. The vulnerability description directly implicates the 'idPage' parameter and the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint, which corresponds to the getTinyTemplatesAction method in the PageEditionController. Therefore, this function is the direct entry point for the exploit.

Vulnerable functions

PageEditionController::getTinyTemplatesAction

src/Controller/PageEditionController.php

The vulnerability lies in the 'getTinyTemplatesAction' function, which handles requests to the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint. The 'idPage' parameter, taken from the request, was used without proper sanitization or validation. This allowed an attacker to inject arbitrary SQL commands. The patch mitigates this by adding a check to ensure that 'idPage' is a numeric value before it is used, thus preventing the SQL injection.

WAF Protection Rules

WAF Rule

SQL inj**tion vuln*r**ility **s** on t** m*lis-*ms mo*ul* o* t** M*lis pl*t*orm *rom M*lis T***nolo*y. T*is vuln*r**ility *llows *n *tt**k*r to r*tri*v*, *r**t*, up**t*, *n* **l*t* **t***s*s t*rou** t** 'i*P***' p*r*m*t*r in t** '/m*lis/M*lis*ms/P***

Reasoning

T** *n*lysis o* t** s**urity p*t** (*ommit ****************************************) provi**s *l**r *vi**n** o* t** vuln*r**ility. T** p*t** w*s *ppli** to t** `sr*/*ontroll*r/P*****ition*ontroll*r.p*p` *il*, sp**i*i**lly wit*in t** `**tTinyT*mpl*t*s

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-10351: Melis Platform CMS SQL Injection

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI