CVE-2025-5878 | ESAPI esapi-java-legacy up to 2.6.2.0 SQL Injection Defense Encoder.encodeForSQL special element

A vulnerability was found in ESAPI esapi-java-legacy and classified as critical. This issue affects the function Encoder.encodeForSQL of the component SQL Injection Defense. The manipulation leads to improper neutralization of special elements.

The identification of this vulnerability is CVE-2025-5878. The attack may be initiated remotely. Furthermore, there is an exploit available.

It is recommended to upgrade the affected component.

The project was contacted early about this issue and handled it with an exceptional level of professionalism. In the new release the feature was disabled by default and any attempt to use it will trigger a warning. Furthermore, the misleading Java class documentation was updated to warn about the risks.

CVE-2025-5878 | ESAPI esapi-java-legacy up to 2.6.2.0 SQL Injection Defense Encoder.encodeForSQL special element

Post correlati

CVE-2024-2841 | Otter Blocks Plugin up to 2.6.5 on WordPress cross site scripting

CVE-2025-27696 | Apache Superset up to 4.1.1 Dashboard improper authorization

CVE-2024-6536 | Zephyr Project Manager Plugin up to 3.3.98 on WordPress Setting cross site scripting

CVE-2024-8482 | Royal Elementor Addons and Templates Plugin up to 1.3.986 on WordPress Team Member Widget cross site scripting