Description
Twitter-Clone 1 contains a SQL injection vulnerability in follow.php that allows attackers to manipulate database queries by injecting SQL code through the userid parameter. Attackers can submit union-based or time-based blind SQL injection payloads to extract sensitive database information including usernames, passwords, and database credentials.
Published: 2026-05-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Twitter-Clone 1 contains a SQL injection flaw in follow.php that allows attackers to modify database queries through the userid parameter. By submitting union-based or time-based blind payloads, an adversary can retrieve usernames, passwords, and database credentials, resulting in confidential data exposure.

Affected Systems

The flaw is present in the PHP-Twitter-Clone installation from Fyffe. No version range is supplied, so every deployment of this code that exposes follow.php is potentially affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. Although EPSS data is not available, the lack of a KEV listing suggests that the vulnerability is not yet widely exploited, but the attack vector is straightforward through a public HTTP endpoint, requiring no special credentials or privileges. An attacker can execute the injection remotely by forming an HTTP request to the vulnerable script.

Generated by OpenCVE AI on May 25, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of PHP-Twitter-Clone or remove the vulnerable follow.php from the web root.
  • Rewrite the database access in follow.php to use prepared statements or parameterized queries, preventing arbitrary SQL from being executed.
  • Sanitize and validate the userid input, e.g., by allowing only numeric values and rejecting suspicious characters, and enforce least privilege on the database account used by the application.

Generated by OpenCVE AI on May 25, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Fyffe
Fyffe php-twitter-clone
Vendors & Products Fyffe
Fyffe php-twitter-clone

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Twitter-Clone 1 contains a SQL injection vulnerability in follow.php that allows attackers to manipulate database queries by injecting SQL code through the userid parameter. Attackers can submit union-based or time-based blind SQL injection payloads to extract sensitive database information including usernames, passwords, and database credentials.
Title Twitter-Clone 1 SQL Injection via follow.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fyffe Php-twitter-clone
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T15:22:40.410Z

Reserved: 2026-05-24T13:30:45.539Z

Link: CVE-2018-25362

cve-icon Vulnrichment

Updated: 2026-05-26T15:22:34.631Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T15:16:18.787

Modified: 2026-05-26T19:47:48.987

Link: CVE-2018-25362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:42Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')