CVE-2025-64519: TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter

November 10, 2025 (updated May 13, 2026)

An authenticated SQL injection vulnerability exists in the moderator control panel (modcp.php). Users with moderator permissions can exploit this vulnerability by supplying a malicious topic_id (t) parameter. This allows an authenticated moderator to execute arbitrary SQL queries, leading to the potential disclosure, modification, or deletion of any data in the database.

References

github.com/advisories/GHSA-4rwr-8c3m-55f6
github.com/torrentpier/torrentpier/commit/6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80
github.com/torrentpier/torrentpier/releases/tag/v2.8.9
github.com/torrentpier/torrentpier/security/advisories/GHSA-4rwr-8c3m-55f6
nvd.nist.gov/vuln/detail/CVE-2025-64519

Code Behaviors & Features

Detect and mitigate CVE-2025-64519 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →