Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with unauthenticated SQL injection vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. CVE-2019-25697 affects CMSsite 1.0, where the cat_id parameter in category.php can be abused through crafted GET requests, potentially exposing usernames, credentials, and other database contents.
A separate flaw, CVE-2018-25300, affects XATABoost CMS 1.0.0 through a union-based SQL injection in the id parameter of news.php, also reachable remotely without authentication via crafted GET requests. Both records were published with CWE-89 classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Timeline
Apr 29, 2026
CVE-2018-25300 submitted for XATABoost CMS 1.0.0 SQL injection flaw
A new CVE entry for an unauthenticated union-based SQL injection in the id parameter of news.php in XATABoost CMS 1.0.0 was received by disclosure@vulncheck.com. The flaw can be exploited remotely via crafted GET requests to extract sensitive database information.
Apr 12, 2026
CMSsite 1.0 SQL injection vulnerability documented as CVE-2019-25697
A CVE record describes an unauthenticated SQL injection flaw in the cat_id parameter handled by category.php in CMSsite 1.0. The issue can be exploited with crafted GET requests to manipulate database queries and expose sensitive information such as usernames and credentials.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
2 weeks ago
CI4MS Stored DOM XSS Flaws Enable Account Takeover and Privilege Escalation
Two high-severity vulnerabilities in **CI4MS**, a CodeIgniter 4-based CMS skeleton, allow authenticated low-privilege users to trigger **stored DOM-based XSS** that can lead to full account takeover across roles and privilege escalation. **`CVE-2026-34558`** affects the **Methods Management** functionality, where improperly sanitized and encoded user input can be stored server-side and later executed in administrative interfaces and global navigation components. A second flaw, **`CVE-2026-34565`**, impacts **Menu Management** for posts, where malicious post data added to navigation menus can execute in both admin dashboards and public-facing menus. Both issues are classified as **CWE-79** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L`; they affect CI4MS versions prior to **`0.31.0.0`** and were patched in **`0.31.0.0`**.
3 weeks ago
SQL Injection Flaws Disclosed in KomSeo Cart and PilusCart
Two SQL injection vulnerabilities have been disclosed in legacy shopping cart software, affecting **KomSeo Cart 1.3** and **PilusCart 1.4.1**. The KomSeo Cart issue, tracked as `CVE-2018-25206`, affects the `my_item_search` parameter in `edit.php`, where crafted `POST` requests can trigger **boolean-based blind** or **error-based** SQL injection and expose sensitive database contents. The PilusCart flaw, tracked as `CVE-2019-25672`, affects the `send` parameter in a comment submission endpoint and allows unauthenticated attackers to perform **RLIKE-based boolean SQL injection** through `POST` requests. Both CVEs are classified as **CWE-89: Improper Neutralization of Special Elements used in an SQL Command** and were published with **CVSS v3.1** and **CVSS v4.0** scoring metadata. The records link to public references including **Exploit-DB**, **VulnCheck**, and project or vendor-related sources, indicating that exploit details and technical validation are available. Organizations still running either cart platform should treat the flaws as database-compromise risks because successful exploitation could allow attackers to extract sensitive information without authentication.
3 weeks ago