Description
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HaPe PKH 1.1 contains a SQL injection flaw in the 'desa' POST parameter of lap-peserta-perdesa-pdf.php. An attacker can insert malicious SQL code, including time‑based blind queries, to probe and retrieve confidential database information. The vulnerability is a classic instance of CWE‑89 and allows unauthenticated users to manipulate queries and obtain sensitive data.

Affected Systems

The affected product is HaPe PKH version 1.1 from the Sitejo vendor. No additional versions are listed as impacted in the available data.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. Since the EPSS score is not available, the exact likelihood of exploitation remains unknown, but the lack of mitigation measures and the public publication of the flaw suggest a significant risk. The vulnerability is not yet listed in CISA’s KEV catalog. Attackers can exploit this by sending a crafted HTTP POST request to lap‑peserta‑perdesa‑pdf.php over the web interface, without needing any authentication. If the server exposes this script, the attack can be performed from anywhere on the internet.

Generated by OpenCVE AI on May 29, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HaPe PKH to the latest version that includes the SQL injection fix or apply the vendor’s official patch for the desa parameter issue.
  • Limit the 'desa' input by validating it against an allowed set of numeric identifiers, rejecting any non‑numeric or suspicious characters before database usage (mitigates CWE‑89).
  • Restrict access to lap‑peserta‑perdesa‑pdf.php to authenticated administrators only, or remove the page entirely if it is not required for users.
  • Deploy a web application firewall or input filtering tool to detect and block SQL injection patterns on incoming requests.
  • Perform a comprehensive code review of all user-supplied parameters in the application, ensuring proper escaping and parameterized queries are used across the codebase.

Generated by OpenCVE AI on May 29, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information.
Title HaPe PKH 1.1 SQL Injection via desa Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T20:35:28.280Z

Reserved: 2026-05-29T11:24:03.699Z

Link: CVE-2018-25390

cve-icon Vulnrichment

Updated: 2026-05-29T20:35:23.616Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:18.250

Modified: 2026-05-29T16:29:11.350

Link: CVE-2018-25390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses