CVE-2025-27378

Name of the Vulnerable Software and Affected Versions AES (affected versions not specified)

Description AES contains a SQL injection issue because of an inactive configuration that bypasses the latest SQL parsing logic. Without this configuration enabled, specially crafted input can be mishandled, potentially allowing attackers to inject and execute arbitrary SQL queries. The issue arises when the sql.parsing configuration is not active. Exploitation involves submitting crafted input to the system, which, due to the bypassed parsing logic, is interpreted as SQL code and executed.

Recommendations Activate the latest SQL parsing logic in the configuration to prevent crafted input from being mishandled and exploited by attackers. As a temporary workaround, consider restricting or disabling input parameters that are directly used in SQL queries until the configuration is updated.