What is CVE-2025-64081?

CVE-2025-64081 is a publicly disclosed cybersecurity vulnerability with a CRITICAL severity rating and CVSS score of 9.8.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-64081

CRITICAL9.8/ 10.0

Published: December 8, 2025 at 06:15 PM

Modified: December 8, 2025 at 10:15 PM

Source: cve@mitre.org

Vulnerability Description

SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter.

CVSS Metrics

Base Score

9.8

Severity

CRITICAL

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-89

Source: nvd@nist.gov

CWE-89

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

AI Security Analysis

01 // Technical Summary

SourceCodester Patients Waiting Area Queue Management System v1 is vulnerable to a critical SQL injection flaw, allowing attackers to execute arbitrary SQL commands. Successful exploitation grants attackers unauthorized access to the application's database, potentially leading to data breaches, system compromise, and loss of sensitive patient information.

02 // Vulnerability Mechanism

Step 1: Payload Delivery: The attacker crafts a malicious SQL injection payload designed to be inserted into the appointmentID parameter of a request to /php/api_patient_schedule.php.

Step 2: Request Submission: The attacker submits the crafted payload via an HTTP GET or POST request to the vulnerable endpoint.

Step 3: Query Execution: The application receives the request and incorporates the attacker-supplied appointmentID value directly into an SQL query without proper sanitization.

Step 4: SQL Injection: The database server interprets the injected SQL code as part of the query, allowing the attacker to execute arbitrary SQL commands.

Step 5: Data Exfiltration/System Compromise: Depending on the injected SQL commands, the attacker can then retrieve sensitive data (e.g., patient records, credentials), modify data, or potentially gain control over the underlying server.

03 // Deep Technical Analysis

The vulnerability stems from insufficient input validation and sanitization of the appointmentID parameter within the /php/api_patient_schedule.php script. The application directly incorporates user-supplied data from this parameter into SQL queries without proper escaping or filtering. This allows an attacker to inject malicious SQL code, altering the intended query logic and enabling unauthorized database interactions. The root cause is a lack of parameterized queries or prepared statements, which would have prevented the injection of malicious SQL code.