PT-2025-33814 · Unknown · Smartlibrary+1
Published
2025-08-19
·
Updated
2025-10-07
·
CVE-2025-51506
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
HRForecast Suite versions 0.4.3
Description:
A SQL injection flaw exists in the smartLibrary component. This allows any authenticated user to execute arbitrary SQL queries through crafted payloads to the
valueKey parameter. The vulnerability is located in the /api/smartlibrary/v2/en/dictionaries/options/lookup API endpoint.Recommendations:
Apply input validation and sanitization to the
valueKey parameter.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hrforecast Suite
Smartlibrary