๐Ÿ” CVE Alert

CVE-2019-25260

HIGH 8.2

OXID eShop 6.3.4 - 'sorting' SQL Injection

CVSS Score
8.2
EPSS Score
0.0%
EPSS Percentile
0th

OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs.

CWE CWE-89
Vendor oxid-esales
Product oxid eshop
Published Feb 3, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for oxid-esales oxid eshop

Be the first to know when new high vulnerabilities affecting oxid-esales oxid eshop are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Affected Versions

OXID-eSales / OXID eShop
Versions 6.x (prior to 6.3.4)

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
exploit-db.com: https://www.exploit-db.com/exploits/48527 oxid-esales.com: https://www.oxid-esales.com/ github.com: https://github.com/OXID-eSales/oxideshop_ce web.archive.org: https://web.archive.org/web/20201020223434/https://www.vulnspy.com/en-oxid-eshop-6.x-sqli-to-rce/ web.archive.org: https://web.archive.org/web/20190731211638/https://blog.ripstech.com/2019/oxid-esales-shop-software/ bugs.oxid-esales.com: https://bugs.oxid-esales.com/view.php?id=7002 vulncheck.com: https://www.vulncheck.com/advisories/oxid-eshop-sorting-sql-injection

Credits

VulnSpy