CVE-2025-64519: 
PHP vulnerability analysis and mitigation

TorrentPier, an open source BitTorrent Public/Private tracker engine written in PHP, contains an authenticated SQL injection vulnerability (CVE-2025-64519) in versions up to and including 2.8.8. The vulnerability exists in the moderator control panel (modcp.php) where authenticated users with moderator permissions can exploit the vulnerability through the topic_id (t) parameter. The issue was discovered and disclosed in November 2025 (GitHub Advisory).

The vulnerability occurs in the moderator control panel when processing requests that include a topicid parameter. The $topicid value is taken directly from user input without proper sanitization or parameterization before being concatenated into SQL queries. This vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-89 (SQL Injection) (GitHub Advisory, NVD).

Despite requiring moderator privileges, the vulnerability is considered severe as it allows authenticated moderators to execute arbitrary SQL queries. This can lead to unauthorized access to sensitive data, including user credentials, private messages, and email addresses. Additionally, attackers can modify or delete database records, potentially corrupting forum data or elevating privileges (GitHub Advisory).

A patch has been released in commit 6a0f6499d89fa5d6e2afa8ee53802a1ad11ece80 which implements proper input validation by casting the topic_id parameter to an integer. Organizations running affected versions should update their installations immediately (GitHub Commit).