cve/2025/CVE-2025-53122.md

### [CVE-2025-53122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53122)
![](https://img.shields.io/static/v1?label=Product&message=Horizon&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Meridian&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=2024.1.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=25.2.1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=33.0.8%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-89%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20an%20SQL%20Command%20('SQL%20Injection')&color=brightgreen)

### Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection. Usersshould upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian andHorizon installation instructions state that they are intended for installationwithin an organization's private networks and should not be directly accessiblefrom the Internet.

### POC

#### Reference
- https://docs.opennms.com/meridian/2024/releasenotes/changelog.html#releasenotes-changelog-Meridian-2024.2.6

#### Github
No PoCs found on GitHub currently.