Description
SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'.
Published: 2026-04-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Database Compromise via SQL Injection
Action: Monitor
AI Analysis

Impact

This vulnerability is a classic SQL injection flaw that lets an attacker embed malicious SQL code through the 'phonenumber' field in a POST request to the /private/continue-upload.php endpoint. By exploiting this weakness, an attacker can read, modify, or delete any data in the underlying database, thereby compromising data integrity, confidentiality, and potentially availability. The weakness is a classic CWE‑89 injection flaw.

Affected Systems

The affected product is Zeon Academy Pro from Zeon Global Tech. No specific affected versions are listed, so all releases of the product are potentially vulnerable until a patch is released.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is considered critical. The EPSS score is not available, but the lack of a known patch and the high severity suggest that exploitation is plausible and could be performed remotely via HTTP POST. The vulnerability is not listed in the CISA KEV catalog, but that does not reduce the risk to the user. The likely attack vector is through a web request to the exposed endpoint, meaning that anyone with network access to the application can initiate the exploit.

Generated by OpenCVE AI on April 22, 2026 at 03:06 UTC.

Remediation

Vendor Solution

There is no solution reported at this time.

OpenCVE Recommended Actions

  • Validate and sanitize the 'phonenumber' parameter to ensure it contains only expected characters and length constraints.
  • Throttle or block POST requests to /private/continue-upload.php from unidentified or unauthenticated users using a web application firewall.
  • Regularly audit Zeon Academy Pro updates and apply any vendor-released patch as soon as it becomes available.

Generated by OpenCVE AI on April 22, 2026 at 03:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Zeon Global Tech
Zeon Global Tech zeon Academy Pro
Vendors & Products Zeon Global Tech
Zeon Global Tech zeon Academy Pro

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'.
Title SQL injection in Zeon Academy Pro by Zeon Global Tech
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zeon Global Tech Zeon Academy Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-21T16:23:02.186Z

Reserved: 2025-04-16T09:09:26.929Z

Link: CVE-2025-41029

cve-icon Vulnrichment

Updated: 2026-04-21T16:22:41.615Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T16:16:19.350

Modified: 2026-04-21T16:20:24.180

Link: CVE-2025-41029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:22Z

Weaknesses