Personnel Property Equipment System v1.0 contains an SQL Injection vulnerability in the /ppes/admin/advance_search.php endpoint. An attacker who can send crafted requests to this URL can inject arbitrary SQL code into the underlying database query. While the description does not explicitly state the extent of data exposure or privilege escalation, the CWE-89 classification indicates that the flaw could allow disclosure of confidential data, modification of records, or potentially full compromise of the database if the database account has high privileges. This type of issue undermines the confidentiality and integrity of the system’s data and may enable attackers to deploy further attacks against the underlying infrastructure.

The affected product is Personnel Property Equipment System version 1.0, as identified by its CPE string. No vendor name is supplied by a CNA; the vulnerability is specific to this version of the application.

The CVSS base score of 9.8 indicates that the vulnerability is severe. Its EPSS score is reported as < 1%, which means the probability of exploitation is very low at the moment of this analysis, but that assessment can change rapidly. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a web-based one, where an authenticated or unauthenticated user can supply input that reaches the backend database. The exploit path requires access to the /ppes/admin/advance_search.php endpoint, so restricting network access or requiring proper authentication could mitigate exploitation. Publicly known exploits are not documented, but the high CVSS suggests that attackers will prioritize this flaw once an exploit becomes available.