CVE-2025-65379 Summary: Web app contains a SQL Injection vulnerability in the endpoint. The and parameters accept user-supplied input which is concatenated directly into a backend SQL query without proper validation or parameterization. An attacker can supply crafted input to manipulate the SQL statement executed by the database. Affected Versions: Billing System 1.0 Vulnerability Details: The endpoint concatenates user-supplied values from (specifically and ) directly into an SQL query. Because these inputs are not validated, sanitized, or parameterized, an attacker can inject SQL and manipulate the query, leading to information disclosure, account takeover, or database modification. Impact: A remote attacker can exploit this flaw to bypass authentication, retrieve unauthorized data from the database, or potentially compromise the entire application's database integrity. Credits: Discovered by Dewanand Vishal (dewcode) References: https://phpgurukul.com/billing-system-using-php-and-mysql/