CRITICAL🇵🇱 Wersja polska

CVE-2025-50567

CVSS 10.0v3.1pub. 2025-08-19upd. 2026-07-05

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.

🤖 AI Analysis
How it works

The DB::prepare() function responsible for preparing SQL queries uses a preg_replace() call with the /e modifier, which in PHP causes evaluation of the matched expression as PHP code (eval). An attacker can supply crafted input data that will be injected as SQL query parameters and then interpreted and executed as PHP code by the eval mechanism. As a result, this leads to a combination of SQL injection (CWE-89) and arbitrary code execution (CWE-94) in a single attack vector.

Impact

An attacker without any authentication can execute arbitrary PHP code on the server (RCE), which in practice means complete takeover of the system, data theft or modification, as well as the possibility of lateral movement within the internal network.

Mitigation & patch

Patches available from the vendor should be applied according to the references. As a remedial measure, disabling or isolating the Saurus CMS instance from public access should be immediately considered until the patch is applied. The /e modifier in preg_replace() is deprecated and removed in newer PHP versions — verification of the PHP environment configuration may limit exploitation.

Who is affected

Saurus CMS Community Edition version 4.7.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLi
CWE
References