Description
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Open ISES Project 3.30A has a SQL injection flaw in main.php that allows attackers to send POST requests containing a crafted SQL payload through the frm_passwd parameter. Because this input is not sanitized, unauthenticated users can execute arbitrary SQL commands, enabling them to read sensitive data such as usernames, database names, and version information. This weakness corresponds to CWE‑89, a classic example of an injection vulnerability that compromises data confidentiality.

Affected Systems

The vulnerability affects the Open ISES Project, specifically version 3.30A. No other affected versions are listed, and the vendor does not provide additional version information in the CNA data.

Risk and Exploitability

The CVSS score of 8.8 indicates a high likelihood of exploitation and significant impact. Although the EPSS score is not available, the lack of authentication requirement and the ability to craft HTTP POST requests to main.php suggest a straightforward attack path. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS and the absence of mitigation measures in the current release make it a priority for remediation.

Generated by OpenCVE AI on May 29, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Open ISES Project to a version that resolves the SQL injection in main.php.
  • If an upgrade is not immediately possible, restrict access to main.php by applying network firewall rules that allow only trusted IP addresses or internal hosts.
  • Implement input validation or use parameterized queries for the frm_passwd field to eliminate the injection vector, following CWE‑89 best practices.

Generated by OpenCVE AI on May 29, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Title The Open ISES Project 3.30A SQL Injection via main.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T17:22:16.328Z

Reserved: 2026-05-29T12:58:52.358Z

Link: CVE-2018-25398

cve-icon Vulnrichment

Updated: 2026-05-29T17:22:11.251Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:19.367

Modified: 2026-05-29T16:32:14.400

Link: CVE-2018-25398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:00:05Z

Weaknesses