9/23/2025/2 minutes to read/Tags: CVEs, SQLi, i-Educar
Introduction
While exploring i-Educar, I identified a serious Boolean-Based SQL Injection flaw in the id parameter of the /module/ComponenteCurricular/edit endpoint.
With the help of the tool sqlmap, it was possible to exploit the flaw and extract information directly from the database.
What is CVE-2025-10846?
The CVE-2025-10846 describes a SQL Injection flaw in the /module/ComponenteCurricular/edit endpoint, where the id parameter is not properly validated.
Using Boolean techniques, it was possible to infer the database structure, access confidential data, and explore the backend without generating errors visible to the user.
The sqlmap will automatically test the id parameter, and after a few minutes it will begin revealing the available databases, confirming the injection:
With the injection confirmed, it was also possible to list tables and columns with additional sqlmap commands, highlighting the potential for data exfiltration:
You can access the full technical report with all step-by-step evidence here: