CVE-2025-51510: 
PHP vulnerability analysis and mitigation

MoonShine was discovered to contain a SQL injection vulnerability under the Blog -> Categories page when using the moonshine-tree-resource (version < 2.0.2) component. The vulnerability was disclosed on August 19, 2025, and affects the MoonShine software platform (MoonShine GitHub, MoonShine Tree).

The vulnerability exists in the data parameter under the Blog module when using the moonshine-tree-resource component. The issue received a CVSS v3.1 Base Score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (NVD Database).

The SQL injection vulnerability allows attackers with high privileges to access sensitive information from the database, including the ability to extract user credentials and other confidential data. The vulnerability primarily affects the confidentiality of the system, with no direct impact on integrity or availability (PoC Repository).

Users should upgrade to moonshine-tree-resource version 2.0.2 or later to address this vulnerability. The fix was released in the moonshine-tree-resource component update (MoonShine Tree).