Unvalidated user input in the profile_list endpoint of Zeeways Matrimony CMS permits an unauthenticated attacker to inject arbitrary SQL via the up_cast, s_mother, and s_religion parameters. This flaw enables extraction of confidential database contents through time‑based or error‑based techniques, allowing the attacker to read sensitive information such as user credentials, personal data, and other confidential records. The weakness represents a classic SQL injection (CWE‑89) that directly compromises data confidentiality.

The vulnerability affects Zeeways Matrimony CMS provided by Zeeways. Documentation does not specify any restricted product versions, indicating that all installations exposing the profile_list endpoint are potentially vulnerable. Administrators should verify whether their system uses this module and whether any mitigations were applied by the vendor.

With a CVSS score of 8.8, the flaw is considered high severity. No EPSS score is listed, but the vulnerability is publicly known, and the exploit is straightforward: an unauthenticated web request to the site can trigger the injection without additional permissions or complex setup. The attack vector is inferred to be remote over the network, as the endpoint is exposed via HTTP. Because the flaw is not listed in KEV, the exploitation level might still be low, yet the inherent confidentiality risk and ease of exploitation warrant immediate attention.