CVE-2025-1154

Name of the Vulnerable Software and Affected Versions xxyopen Novel versions up to 3.4.1

Description A critical issue has been found in the software, affecting some unknown functionality of the file "/api/front/search/books". The manipulation of the sort argument leads to SQL injection. The attack can be launched remotely. Other parameters might also be affected.

Recommendations For versions up to 3.4.1, as a temporary workaround, consider restricting access to the "/api/front/search/books" endpoint until a patch is available. Avoid using the sort argument in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.