CVE-2025-48932

Name of the Vulnerable Software and Affected Versions Invision Community versions prior to 4.7.20

Description The Invision Community software contains a SQL injection issue in the calendar/view.php file. The vulnerability resides in the IPScalendarmodulesfrontcalendarview::search() method, where user input from the location request parameter is not properly sanitized before being used in a SQL query at line 743. Successful exploitation requires the “calendar” application to be installed and a “GeoLocation feature” to be configured.

Recommendations Update Invision Community to a version newer than 4.7.20.