CVE-2025-27378 - Vulnerability Details - OpenCVE

AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://www.altium.com/platform/security-compliance/security-advisories

History

Thu, 22 Jan 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.
Title		SQL Injection in AES Due to Inactive SQL Parsing Configuration
Weaknesses		CWE-20 CWE-89
References		https://www.altium.com/platform/security-compliance/security-advisories
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: Altium

Published: 2026-01-22T01:06:19.022Z

Updated: 2026-01-22T01:18:38.259Z

Reserved: 2025-02-23T21:02:12.105Z

Link: CVE-2025-27378

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-22T01:15:51.077

Modified: 2026-01-22T01:15:51.077

Link: CVE-2025-27378

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-27378", "assignerOrgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "state": "PUBLISHED", "assignerShortName": "Altium", "dateReserved": "2025-02-23T21:02:12.105Z", "datePublished": "2026-01-22T01:06:19.022Z", "dateUpdated": "2026-01-22T01:18:38.259Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["SQL parsing logic", "Database query handling"], "platforms": ["Web"], "product": "AES", "vendor": "Altium", "versions": [{"changes": [{"at": "7.0.6", "status": "unaffected"}], "lessThanOrEqual": "7.0.5", "status": "affected", "version": "7.0.3", "versionType": "semver"}]}], "datePublic": "2025-04-05T00:18:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.<br>"}], "value": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}, {"capecId": "CAPEC-108", "descriptions": [{"lang": "en", "value": "CAPEC-108 Command Injection"}]}, {"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7 Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "shortName": "Altium", "dateUpdated": "2026-01-22T01:18:38.259Z"}, "references": [{"url": "https://www.altium.com/platform/security-compliance/security-advisories"}], "source": {"discovery": "UNKNOWN"}, "title": "SQL Injection in AES Due to Inactive SQL Parsing Configuration", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}