CVE-2025-34038

UNKNOWN 0.0

Weaver E-cology SQL Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

CWE	CWE-89
Vendor	weaver
Product	e-cology
Published	Jun 24, 2025
Last Updated	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for weaver e-cology

Be the first to know when new unknown vulnerabilities affecting weaver e-cology are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Weaver / E-cology

0 ≤ 8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cnblogs.com: https://www.cnblogs.com/0day-li/p/14637680.html cnvd.org.cn: https://www.cnvd.org.cn/flaw/show/CNVD-2021-33202 weaver.com.co: https://weaver.com.co/products/ecology/ vulncheck.com: https://vulncheck.com/advisories/fanwei-ecology-sql-injection

Credits

r1ch4rd_L