Description
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in SIM-PKH 2.4.1, where an attacker can inject code through the 'id' parameter in /admin/media.php. When an authenticated user sends a crafted GET request containing a UNION SELECT payload, the backend database is queried with the malicious input, allowing the attacker to retrieve usernames, database names, and version details. This flaw is classified as CWE-89 and can lead to unauthorized information disclosure and potential data manipulation through arbitrary SQL execution.

Affected Systems

The affected product is Simpkh's SIM-PKH, specifically version 2.4.1. No other versions are known to be impacted. The vulnerability exists only within the admin media editing module accessed by authenticated users.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity level, while the EPSS score is not available, making the current exploitation probability uncertain. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate and then target the /admin/media.php endpoint; however, the plain text nature of the ID parameter makes the exploit straightforward for those with legitimate access. Lack of mitigation in default deployments raises the risk profile for organizations still running version 2.4.1.

Generated by OpenCVE AI on May 30, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest SIM-PKH release where the SQL injection issue has been fixed; if no update is available, apply any vendor patch or temporary blocker.
  • Limit database privileges for the web application to only what is strictly necessary; remove any SELECT, UPDATE, or DELETE rights that are not required for normal operation.
  • Sanitize and validate all GET parameters and use prepared statements or parameterized queries in the application code, especially for the 'id' argument in media.php.
  • Restrict access to the admin module by IP whitelisting or by implementing two‑factor authentication to reduce the attack surface.

Generated by OpenCVE AI on May 30, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Simpkh
Simpkh sim-pkh
Vendors & Products Simpkh
Simpkh sim-pkh

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details.
Title SIM-PKH 2.4.1 SQL Injection via media.php id Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Simpkh Sim-pkh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:17.141Z

Reserved: 2026-05-30T12:27:11.523Z

Link: CVE-2018-25410

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:01.723

Modified: 2026-05-30T16:17:01.723

Link: CVE-2018-25410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:46Z

Weaknesses