PT-2025-46957 · Unknown · Ury-Erp Ury

Ictrun

Published

2025-11-14

Updated

2026-01-09

CVE-2025-13168

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ury-erp ury versions up to 0.2.0

Description A weakness exists in ury-erp ury that allows for SQL injection. This issue is related to the manipulation of the search term argument within the overrided past order list function located in the file ury/ury/api/pos extend.py. Remote exploitation is possible, and an exploit has been publicly released.

Recommendations Upgrade to version 0.2.1 or later to address this issue.

Exploit

Fix

Special Elements Injection

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-89

Related Identifiers

CVE-2025-13168

Affected Products

Ury-Erp Ury

PT-2025-46957 · Unknown · Ury-Erp Ury

CVE-2025-13168

Weakness Enumeration

Related Identifiers

Affected Products

References · 13