Description
HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HaPe PKH 1.1 contains a SQL injection flaw in the id parameter of admin/media.php. This flaw is a classic input validation issue described by CWE-89 and allows attackers to execute arbitrary SQL statements against the underlying database. The attack can disclose even sensitive internal information such as the current user, database name, and the database management system version.

Affected Systems

The vulnerability exists in the Sitejo Hub HaPe PKH 1.1 product. The insecure admin/media.php file is used by the desa module and by authenticated modules such as pengurus, fasilitas, and kelompok. Unauthenticated users can trigger the flaw via the desa module, while authenticated users can exploit it in the other modules.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity and the vulnerability is publicly known though no EPSS data was returned, so the exploitation probability is unspecified. The flaw is in a web exposed input parameter and does not require special privileges, meaning that an attacker can exploit it from any network that can reach the application. The vulnerability is not listed in CISA's KEV catalog, but the absence of mitigation does not lower its risk, especially because a subset of the attack surface is fully unauthenticated.

Generated by OpenCVE AI on May 29, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HaPe PKH to the latest version that removes the vulnerable admin/media.php handler or patches the SQL injection flaw.
  • Configure the web server to restrict access to admin/media.php or to the desa module, so that unauthenticated users cannot reach the vulnerable pages (e.g., .htaccess authentication or firewall rules).
  • Modify the source code of admin/media.php to use parameterized queries or proper input validation to eliminate the injection point.

Generated by OpenCVE AI on May 29, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version.
Title HaPe PKH 1.1 SQL Injection via id Parameter in admin/media.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T19:19:44.241Z

Reserved: 2026-05-29T11:15:20.657Z

Link: CVE-2018-25386

cve-icon Vulnrichment

Updated: 2026-05-29T19:19:39.830Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:17.720

Modified: 2026-05-29T16:29:11.350

Link: CVE-2018-25386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:30:04Z

Weaknesses