CVE-2025-56407

Name of the Vulnerable Software and Affected Versions: HuangDou UTCMS version 9

Description: A critical issue exists in HuangDou UTCMS version 9 related to SQL injection. The vulnerability affects the RunSql function within the app/modules/ut-data/admin/mysql.php file. Manipulation of the sql argument allows for SQL injection attacks, which can be initiated remotely. The exploit for this issue has been publicly disclosed.

Recommendations: As a temporary workaround, consider restricting access to the app/modules/ut-data/admin/mysql.php file. Avoid using the sql parameter in the RunSql function until the issue is resolved.