Description
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HaPe PKH 1.1 contains an embedded SQL injection flaw that can be triggered by submitting a crafted POST payload to the "nama_kelompok" parameter. Attackers able to send requests to lap-anggota-kelompok-pdf.php can inject arbitrary SQL, including time-based blind predicates, allowing them to read, manipulate, or delete database contents. The vulnerability enables persistent data compromise without authentication.

Affected Systems

The vulnerable implementation is found in the Sitejo HaPe PKH web application, specifically version 1.1. No other variant or upstream product has been identified as affected in the current advisory.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity flaw that could lead to full database compromise. The EPSS score is unavailable, but the lack of a KEV listing suggests limited evidence of exploitation in the wild. The likely attack vector is over the network, with the attacker needing only access to the web application’s public endpoint. Once the application is reachable, an unauthenticated attacker can execute the injected SQL and exfiltrate data.

Generated by OpenCVE AI on May 29, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update HaPe PKH to a version that removes the vulnerable code or apply a vendor‑supplied patch
  • If an update is not immediately feasible, disable or restrict external access to lap‑anggota‑kelompok‑pdf.php using a firewall or application‑level rule
  • Implement input validation and use parameterized queries in the 'nama_kelompok' handling code to eliminate injection risk
  • Monitor database logs for anomalous queries that match injection signatures
  • Consider enforcing least privilege on the database user powering the application

Generated by OpenCVE AI on May 29, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
Title HaPe PKH 1.1 SQL Injection via nama_kelompok Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T14:46:33.184Z

Reserved: 2026-05-29T11:24:03.699Z

Link: CVE-2018-25389

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:18.117

Modified: 2026-05-29T16:29:11.350

Link: CVE-2018-25389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:00:05Z

Weaknesses