Description
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
Published: 2026-05-29
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Open ISES Project 3.30A allows an attacker to inject arbitrary SQL through the p1 parameter of inc_types_graph.php. By sending specially crafted GET requests, a malicious actor can execute arbitrary queries against the database, enabling extraction of sensitive schema information and other data. The vulnerability is a classic CWE‑89 SQL injection and results in a compromise of both data confidentiality and integrity, with no authentication required to exploit it.

Affected Systems

Open ISES Project Open ISES 3.30A is the only affected product. The flaw resides in the inc_types_graph.php module and can leverage any database used by that version.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity level, while the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is straightforward: a public HTTP GET request to inc_types_graph.php with a malicious p1 payload. Because no authentication is needed, the risk for any exposed instance is significant, and exploitation could occur with minimal effort once the URLs are known.

Generated by OpenCVE AI on May 29, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a newer release of Open ISES that removes the vulnerable code.
  • Configure the web server to restrict or require authentication for the inc_types_graph.php endpoint, limiting exposure.
  • Sanitize the p1 parameter and use prepared statements or parameterized queries to eliminate SQL injection risk.

Generated by OpenCVE AI on May 29, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
Title The Open ISES Project 3.30A SQL Injection via inc_types_graph.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T14:46:42.699Z

Reserved: 2026-05-29T12:59:49.030Z

Link: CVE-2018-25402

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:19.880

Modified: 2026-05-29T16:32:14.400

Link: CVE-2018-25402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:30:04Z

Weaknesses