Multiple Critical Vulnerabilities in Imaster MEMS Events CRM and Patient Records Management Systems
Several critical and high-severity vulnerabilities have been identified in Imaster's MEMS Events CRM and Patient Records Management System, including SQL injection and stored Cross-Site Scripting (XSS) flaws. The vulnerabilities, tracked as CVE-2025-41003, CVE-2025-41004, CVE-2025-41005, and CVE-2025-41006, were discovered by Gonzalo Aguilar García (6h4ack) and coordinated by INCIBE. Specifically, SQL injection vulnerabilities exist in the 'id' parameter of /projects/hospital/admin/complaints.php (CVE-2025-41004), the 'keyword' parameter of /memsdemo/exchange_offers.php (CVE-2025-41005), and the 'phone' parameter of /memsdemo/login.php (CVE-2025-41006). Additionally, a stored XSS vulnerability (CVE-2025-41003) affects the 'firstname' parameter in /projects/hospital/admin/edit_patient.php`. All vulnerabilities are remotely exploitable, with CVSS v4.0 base scores ranging from 5.1 (medium) to 9.3 (critical), and no patches have been reported as available.
The vulnerabilities impact enterprise management software used for event and patient record management, posing significant risks of unauthorized access, data exfiltration, and potential compromise of sensitive information. The SQL injection flaws, in particular, allow attackers to execute arbitrary SQL commands, potentially leading to full database compromise. The stored XSS vulnerability enables the execution of arbitrary JavaScript in the context of affected users, increasing the risk of session hijacking and further exploitation. Organizations using Imaster's MEMS Events CRM or Patient Records Management System should urgently assess their exposure and implement compensating controls until official fixes are released.
Timeline
Jan 12, 2026
CVE-2025-41006 published for critical SQL injection in MEMS Events CRM login
A critical CVE entry was published for a SQL injection flaw in Imaster’s MEMS Events CRM login endpoint '/memsdemo/login.php' via the 'phone' parameter. The record stated the issue was remotely exploitable with no required privileges or user interaction.
Jan 12, 2026
CVE-2025-41005 published for SQL injection in MEMS Events CRM
A high-severity CVE entry documented a remotely exploitable SQL injection vulnerability in Imaster’s MEMS Events CRM affecting the 'keyword' parameter of '/memsdemo/exchange_offers.php'. The record cited INCIBE-CERT and recommended input sanitization and parameterized queries.
Jan 12, 2026
CVE-2025-41004 published for SQL injection in Imaster Patient Records system
A CVE entry was published for a high-severity SQL injection flaw in Imaster’s Patient Records Management System at '/projects/hospital/admin/complaints.php' via the 'id' parameter. The vulnerability was described as remotely exploitable and linked back to the INCIBE-CERT advisory.
Jan 12, 2026
INCIBE-CERT discloses multiple vulnerabilities in Imaster products
INCIBE-CERT published an advisory warning of multiple vulnerabilities affecting Imaster products, including issues later tracked as CVE-2025-41004, CVE-2025-41005, and CVE-2025-41006. The notice served as the primary public disclosure and remediation reference for the flaws.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
1 months ago
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
2 weeks ago
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
3 days ago