Description
Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can send POST requests to the admin login endpoint with boolean-based blind SQL injection payloads in the username field to manipulate database queries and gain unauthorized access.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Administrator Access via SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a boolean‑based blind SQL injection flaw located in the username field of the admin login. Unauthenticated attackers can craft POST requests that manipulate the database query used for authentication, causing the system to accept the login without valid credentials. This results in full administrative privileges, allowing the attacker to read, modify, or delete library records.

Affected Systems

The flaw impacts Wecodex’s Library CMS 1.0 and the identical Kaasoft distribution, both sharing the same code base. No other vendors or product versions are listed as affected.

Risk and Exploitability

With a CVSS score of 8.8 the weakness is rated high severity, threatening confidentiality and integrity of the data. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not present in CISA’s KEV catalog. Attackers can exploit the flaw over the network by sending crafted HTTP POST requests to the admin login endpoint; no legitimate credentials or privileged access are required.

Generated by OpenCVE AI on March 31, 2026 at 06:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or upgrade to an unaffected version of Library CMS.
  • If no patch is available, restrict access to the admin login to trusted IP addresses or through a VPN.
  • Deploy a web application firewall or intrusion detection system configured to block common SQL injection patterns on the admin login endpoint.
  • Ensure that user input in the username field is sanitized or parameterized prior to use in database queries.

Generated by OpenCVE AI on March 31, 2026 at 06:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wecodex:library_cms:1.0:*:*:*:*:*:*:*

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex
Wecodex library Cms
Vendors & Products Wecodex
Wecodex library Cms

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can send POST requests to the admin login endpoint with boolean-based blind SQL injection payloads in the username field to manipulate database queries and gain unauthorized access.
Title Library CMS 1.0 SQL Injection via admin login
First Time appeared Kaasoft
Kaasoft library Cms
Weaknesses CWE-89
CPEs cpe:2.3:a:kaasoft:library_cms:1.0:*:*:*:*:*:*:*
Vendors & Products Kaasoft
Kaasoft library Cms
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kaasoft Library Cms
Wecodex Library Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T18:36:14.410Z

Reserved: 2026-03-26T11:33:10.177Z

Link: CVE-2018-25204

cve-icon Vulnrichment

Updated: 2026-03-26T18:36:10.792Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T12:16:05.247

Modified: 2026-03-31T01:15:27.480

Link: CVE-2018-25204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:09:10Z

Weaknesses