A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PUBLISHED5.2CWE-89CWE-74
ketr JEPaaS loadPostil postilService.loadPostils sql injection
Problem type
Affected products
ketr
JEPaaS
7.2.0 - AFFECTED
7.2.1 - AFFECTED
7.2.2 - AFFECTED
7.2.3 - AFFECTED
7.2.4 - AFFECTED
7.2.5 - AFFECTED
7.2.6 - AFFECTED
7.2.7 - AFFECTED
7.2.8 - AFFECTED
References
VDB-338416 | ketr JEPaaS loadPostil postilService.loadPostils sql injection
https://vuldb.com/?id.338416
VDB-338416 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/?ctiid.338416
Submit #708321 | 北京凯特伟业科技有限公司 jepaas v7.2.8 SQL Injection
https://vuldb.com/?submit.708321
github.com
https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md
github.com
https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md#2%E5%A4%8D%E7%8E%B0replicate
GitHub Security Advisories
GHSA-vxpf-6v9m-jq3x
A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the...
https://github.com/advisories/GHSA-vxpf-6v9m-jq3xA vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2025-15088
github.com
https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md
github.com
https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md#2%E5%A4%8D%E7%8E%B0replicate
vuldb.com
https://vuldb.com/?ctiid.338416
vuldb.com
https://vuldb.com/?id.338416
vuldb.com
https://vuldb.com/?submit.708321
github.com
https://github.com/advisories/GHSA-vxpf-6v9m-jq3x
JSON source
https://cveawg.mitre.org/api/cve/CVE-2025-15088Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-15088",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2025-12-25T22:02:06.408Z",
"dateReserved": "2025-12-25T09:52:39.720Z",
"datePublished": "2025-12-25T22:02:06.408Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2025-12-25T22:02:06.408Z"
},
"title": "ketr JEPaaS loadPostil postilService.loadPostils sql injection",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"affected": [
{
"vendor": "ketr",
"product": "JEPaaS",
"versions": [
{
"version": "7.2.0",
"status": "affected"
},
{
"version": "7.2.1",
"status": "affected"
},
{
"version": "7.2.2",
"status": "affected"
},
{
"version": "7.2.3",
"status": "affected"
},
{
"version": "7.2.4",
"status": "affected"
},
{
"version": "7.2.5",
"status": "affected"
},
{
"version": "7.2.6",
"status": "affected"
},
{
"version": "7.2.7",
"status": "affected"
},
{
"version": "7.2.8",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "SQL Injection",
"cweId": "CWE-89",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Injection",
"cweId": "CWE-74",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/?id.338416",
"name": "VDB-338416 | ketr JEPaaS loadPostil postilService.loadPostils sql injection",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/?ctiid.338416",
"name": "VDB-338416 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/?submit.708321",
"name": "Submit #708321 | 北京凯特伟业科技有限公司 jepaas v7.2.8 SQL Injection",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md",
"tags": [
"related"
]
},
{
"url": "https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md#2%E5%A4%8D%E7%8E%B0replicate",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C",
"baseScore": 6.5
}
}
],
"timeline": [
{
"time": "2025-12-25T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2025-12-25T01:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2025-12-25T10:57:43.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "red0_ha1yu (VulDB User)",
"type": "reporter"
}
]
}
}
}