CVE-2025-14694

Name of the Vulnerable Software and Affected Versions ketr JEPaaS versions up to 7.2.8

Description A flaw exists in ketr JEPaaS that allows for remote SQL injection. The issue is located in the readAllPostil function within the /je/postil/postil/readAllPostil file. Manipulation of the keyWord argument can trigger the injection. The exploit for this issue has been publicly released, and the vendor was notified but did not respond.

Recommendations Versions prior to 7.2.8 should be updated. As a temporary workaround, consider restricting access to the readAllPostil function until a patch is available. Avoid using the keyWord parameter in the affected API endpoint until the issue is resolved.