CVE-2025-3676

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-3676

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3676.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-3676

Published

2025-04-16T08:15:14Z

Modified

2025-04-24T04:00:26.203124Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability classified as critical has been found in xxyopen Novel-Plus 3.5.0. This affects an unknown part of the file /api/front/search/books. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/201206030/novel-plus

Affected ranges

Type: GIT
Repo: https://github.com/201206030/novel-plus
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

755300db3c7390b6cdf5ded438c9372245876857

Affected versions

v1.*

v1.0.0

v1.1.0

v1.1.1

v2.*

v2.0.0

v2.0.2

v2.1.2

v2.5.0

v2.6.0

v2.8.0

v3.*

v3.0.2

v3.1.0

v3.3.0

v3.5.0