Description
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can send specially crafted GET requests to sever_graph.php, exploiting a SQL injection flaw in the p1 parameter. The flaw permits arbitrary SQL queries, enabling extraction of sensitive database contents such as schema names, tables, and data. This results in a loss of data confidentiality and can also allow modification of data, potentially corrupting the system’s integrity.

Affected Systems

Open ISES Project version 3.30A is affected. The vulnerability resides in sever_graph.php, which is part of the Open ISES application suite available from the project’s SourceForge release.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. EPSS information is not available, so the likelihood of exploitation cannot be precisely quantified, but the lack of authentication requirement means that any network user can attempt the attack. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request to sever_graph.php, inserting malicious SQL via the unvalidated p1 query parameter.

Generated by OpenCVE AI on May 29, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Project to the latest patched version, if one is available
  • Oracle the application for authentication and restrict access to sever_graph.php to authorized users only
  • Implement input validation or parameterized queries in sever_graph.php to mitigate SQL injection, following CWE-89 best practices

Generated by OpenCVE AI on May 29, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
Title The Open ISES Project 3.30A SQL Injection via sever_graph.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T19:28:04.455Z

Reserved: 2026-05-29T12:59:37.480Z

Link: CVE-2018-25401

cve-icon Vulnrichment

Updated: 2026-05-29T19:27:55.267Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:19.753

Modified: 2026-05-29T16:32:14.400

Link: CVE-2018-25401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:00:05Z

Weaknesses