CVE-2025-13168 | ury-erp ury up to 0.2.0 pos_extend.py overrided_past_order_list search_term sql injection

November 14, 2025 Yanac

A vulnerability marked as critical has been reported in ury-erp ury up to 0.2.0. This affects the function overrided_past_order_list of the file ury/ury/api/pos_extend.py. This manipulation of the argument search_term causes sql injection.

This vulnerability is registered as CVE-2025-13168. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

It is suggested to upgrade the affected component.

The vendor replied and reacted very professional.VulDB Recent EntriesRead More