Description
Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Attackers can send crafted requests to profile.php with UNION-based SQL injection payloads to retrieve table names, column names, and sensitive data from the information_schema database.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Zechat 1.5 script exposes a classic SQL injection flaw in its profile.php endpoint, allowing any sender to place malicious SQL statements in the uname query parameter. Because authentication is not required, an attacker can simply craft a request with UNION‑based payloads to read the contents of the information_schema database, revealing table names, column names, and potentially sensitive data stored in the application database. The vulnerability falls under the CWE‑89 family of injection weaknesses, directly threatening the confidentiality and integrity of the underlying data.

Affected Systems

Vendors identified by the CNA list Bylancer:Zechat as the affected product. Zechat version 1.5—identified in several CPE entries—is the only version cited as vulnerable. No additional version range information is provided, so all installations of the 1.5 release should be regarded as impacted until an updated patch is released.

Risk and Exploitability

This weak point carries a CVSS score of 8.8, with no EPSS score reported and exclusion from CISA’s KEV catalog, indicating that while exploitation is technically feasible, it has a high impact when achieved. The likely attack vector is a network‑based HTTP request to profile.php from an unauthenticated client, meaning any user with network access to the web server can attempt the injection and retrieve sensitive database information if no countermeasures are in place.

Generated by OpenCVE AI on May 29, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zechat to the latest version that removes the unsafe SQL handling.
  • If a new release is unavailable, restrict remote access to profile.php using a firewall or IP whitelist to limit who can hit the vulnerable endpoint.
  • Configure the application to use parameterized queries or prepared statements for all database interactions, thereby eliminating the injection vector.
  • Continuously monitor web server logs for irregular SQL query patterns that may indicate attempted exploitation.

Generated by OpenCVE AI on May 29, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Bylancer
Bylancer zechat
Vendors & Products Bylancer
Bylancer zechat

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Attackers can send crafted requests to profile.php with UNION-based SQL injection payloads to retrieve table names, column names, and sensitive data from the information_schema database.
Title Zechat 1.5 SQL Injection via uname Parameter
First Time appeared Zechat Project
Zechat Project zechat
Weaknesses CWE-89
CPEs cpe:2.3:a:zechat_project:zechat:1.5:*:*:*:*:*:*:*
Vendors & Products Zechat Project
Zechat Project zechat
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Bylancer Zechat
Zechat Project Zechat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T14:46:28.078Z

Reserved: 2026-05-29T11:06:08.520Z

Link: CVE-2018-25382

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:17.187

Modified: 2026-05-29T16:29:11.350

Link: CVE-2018-25382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:15:06Z

Weaknesses