CVE-2025-64519

Name of the Vulnerable Software and Affected Versions TorrentPier versions up to and including 2.8.8

Description TorrentPier, a BitTorrent Public/Private tracker engine, contains an authenticated SQL injection flaw in the moderator control panel, specifically within the modcp.php file. A user with moderator permissions can inject malicious SQL code through the topic id (t) parameter. This allows the execution of arbitrary SQL queries, potentially leading to data disclosure, modification, or deletion. The vulnerable code directly incorporates the topic id variable into an SQL query without proper sanitization. Exploitation requires moderator privileges and can be performed using tools like sqlmap. The vulnerability is a time-based blind SQL injection.

Recommendations Versions prior to 2.8.8 should be updated to a newer version that includes the patch available at commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80.