CVE-2025-6100 is a SQL Injection vulnerability identified in version 1.0 of the open-source content management system (CMS) 'open-video-cms' developed by realguoshuai. The vulnerability resides in the processing of the /v1/video/list endpoint, specifically in the handling of the 'sort' parameter. Improper sanitization or validation of this parameter allows an attacker to inject malicious SQL code, potentially manipulating database queries executed by the application. This flaw can be exploited remotely without requiring user interaction or authentication, increasing the attack surface significantly. Although the vendor was notified early, no response or patch has been provided, and the exploit details have been publicly disclosed, raising the risk of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting factors such as network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. The vulnerability could allow attackers to extract sensitive data, modify database contents, or disrupt service depending on the underlying database permissions and application logic. However, the impact is rated as limited due to the partial scope of the injection and the absence of known exploits in the wild at the time of publication.

For European organizations using open-video-cms 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of video content metadata and potentially user data stored within the CMS database. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service conditions affecting video content delivery platforms. Organizations operating video streaming services, media hosting, or educational platforms relying on this CMS may face reputational damage, regulatory compliance issues (e.g., GDPR breaches if personal data is exposed), and operational disruptions. Given the lack of vendor response and patch availability, the window for exploitation remains open, increasing the urgency for mitigation. The medium CVSS score suggests that while the vulnerability is exploitable remotely and easily, the overall damage may be contained if database permissions are properly restricted. However, in scenarios where the CMS is integrated with other critical systems or contains sensitive data, the impact could escalate. Additionally, public disclosure of the exploit details increases the likelihood of opportunistic attacks targeting European organizations.

1. Immediate mitigation should include implementing web application firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the 'sort' parameter on the /v1/video/list endpoint. 2. Conduct a thorough code review and input validation enhancement for all parameters, especially 'sort', to enforce strict type checking and whitelist acceptable values. 3. Employ parameterized queries or prepared statements in the database interaction layer to eliminate direct concatenation of user input into SQL commands. 4. Restrict database user privileges associated with the CMS to the minimum necessary, preventing unauthorized data modification or extraction even if injection occurs. 5. Monitor application logs for anomalous query patterns or repeated failed attempts indicative of exploitation attempts. 6. If feasible, isolate the CMS environment from critical internal networks to limit lateral movement in case of compromise. 7. Engage with the vendor or community to encourage patch development or consider migrating to alternative CMS solutions with active security maintenance. 8. Educate development and security teams about secure coding practices and the risks of SQL injection to prevent similar vulnerabilities in future deployments.