Description
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Open ISES Project version 3.30A is affected by a SQL injection flaw that allows attackers to inject arbitrary SQL code via the tick_lat and tick_lng parameters in nearby.php. The vulnerability is a classic SQL injection (CWE‑89) and enables unauthenticated users to execute queries that can read usernames, database names, and version details, effectively exposing sensitive data stored in the application’s database.

Affected Systems

Affected product: Open ISES Project 3.30A. The specific vulnerability targets the nearby.php endpoint and requires no authentication. Users running this version of the Open ISES Project are therefore exposed.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity risk. Because the flaw can be triggered via a standard HTTP GET request and does not require special privileges, the likelihood of exploitation is significant, although an EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can deliver the payload to nearby.php, manipulating tick_lat and tick_lng to retrieve or modify database content with relative ease.

Generated by OpenCVE AI on May 29, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest release of Open ISES from the official SourceForge repository to replace all vulnerable code.
  • Ensure that the tick_lat and tick_lng parameters are sanitized or use prepared statements to mitigate SQL injection attacks.
  • Restrict database user privileges to the minimum necessary operations to prevent successful exploitation if the injection flaw is present.

Generated by OpenCVE AI on May 29, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Title The Open ISES Project 3.30A SQL Injection via nearby.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T14:46:40.544Z

Reserved: 2026-05-29T12:59:10.482Z

Link: CVE-2018-25399

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:19.497

Modified: 2026-05-29T16:32:14.400

Link: CVE-2018-25399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:30:04Z

Weaknesses