Description
Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can send POST requests to the admin login endpoint with boolean-based blind SQL injection payloads in the username field to manipulate database queries and gain unauthorized access.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated login bypass
Action: Immediate patch
AI Analysis

Impact

Library CMS 1.0 allows unauthenticated attackers to bypass the admin login by injecting SQL code through the username field. The flaw is a classic SQL injection (CWE-89) that uses Boolean‑based blind payloads to manipulate database queries, enabling an attacker to gain unauthorized access to the CMS and its backend functionality.

Affected Systems

The vulnerability affects the Wecodex Library CMS product, version 1.0.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. Although EPSS data is not available and the issue is not listed in the KEV catalog, the attack vector is inferred to be network‑based through POST requests to the admin login endpoint, meaning remote access is possible without prior authentication. Given the high score and the lack of mitigation in the current version, exploitation is considered likely if the system is exposed to the Internet.

Generated by OpenCVE AI on March 26, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a newer, patched version of Library CMS.
  • Restrict access to the admin login URL by firewall rules or IP whitelisting to limit exposure to trusted hosts.
  • Deploy a web application firewall or intrusion detection system tuned to block SQL injection patterns targeting the admin login.
  • If a patch is not yet available, implement strict input validation or parameterized queries on the username field to eliminate injection vectors.
  • Monitor application logs for suspicious login attempts and review any failed authentication records for potential exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex
Wecodex library Cms
Vendors & Products Wecodex
Wecodex library Cms

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can send POST requests to the admin login endpoint with boolean-based blind SQL injection payloads in the username field to manipulate database queries and gain unauthorized access.
Title Library CMS 1.0 SQL Injection via admin login
First Time appeared Kaasoft
Kaasoft library Cms
Weaknesses CWE-89
CPEs cpe:2.3:a:kaasoft:library_cms:1.0:*:*:*:*:*:*:*
Vendors & Products Kaasoft
Kaasoft library Cms
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kaasoft Library Cms
Wecodex Library Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T18:36:14.410Z

Reserved: 2026-03-26T11:33:10.177Z

Link: CVE-2018-25204

cve-icon Vulnrichment

Updated: 2026-03-26T18:36:10.792Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T12:16:05.247

Modified: 2026-03-26T15:13:15.790

Link: CVE-2018-25204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T08:36:06Z

Weaknesses