Key detail from CVE description: Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gallery_id parameter. Attackers can send GET requests to gallery.php with malicious gallery_id values using UNION-based SQL injection to extract sensitive database information. The weakness is identified as CWE-89 and enables broad data exfiltration from the database without requiring prior authentication, but it does not allow arbitrary code execution.

The affected product is Jettweb’s Hazir Haber Sitesi Scripti version 1, as indicated by the vendor and CPE reference (CPE: cpe:2.3:a:jettweb:php_stock_news_site_script:1:*:*:*:*:*:*:*). No additional version granularity is provided in the CNA data, so the entire V1 release is considered vulnerable. The script is a PHP-based web application, and the gallery.php endpoint is publicly accessible on installations of this script.

The flaw carries a CVSS score of 8.8, reflecting high severity for confidentiality impact (Score data: CVSS 8.8). EPSS indicates a very low likelihood of exploitation (<1 %), and the vulnerability is not in CISA’s KEV catalog (Score data: EPSS <1 %, KEV: not listed). According to the description, the attack vector is through unauthenticated HTTP GET requests to gallery.php (Inferred attack vector: unauthenticated GET). Since the vulnerability is exploitable with no authentication or privileged context required, the potential impact is significant for organizations running the vulnerable script, though the current exploitation probability is low.