Description
MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table and column names.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MGB OpenSource Guestbook 0.7.0.2 contains a SQL injection vulnerability exploitable via the email.php script. The flaw allows unauthenticated users to inject arbitrary SQL code through the 'id' GET parameter, enabling the execution of any SELECT or other SQL statements on the underlying database. Attackers can retrieve sensitive information such as table names, column names, and stored data, thereby compromising the confidentiality of the application’s database.

Affected Systems

The vulnerable product is M-Gb MGB OpenSource Guestbook version 0.7.0.2. Only this released version is known to contain the flaw; newer iterations not listed in the data may include the fix. Users of this application should verify their installed version and apply any available updates.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, and while the EPSS score is not available, the absence of KEV listing does not reduce its threat level. The vulnerability is exploitable through a simple HTTP GET request to the public email.php endpoint, making it remotely reachable. An attacker can read database information and potentially use retrieved credentials to compromise other systems.

Generated by OpenCVE AI on May 30, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MGB OpenSource Guestbook to a version that removes the SQL injection flaw.
  • Restrict access to the email.php endpoint so that only authenticated users can reach it or block it via firewall rules.
  • Modify the code to validate the 'id' parameter and use parameterized queries instead of concatenated SQL statements.

Generated by OpenCVE AI on May 30, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mgb
Mgb opensource Guestbook
Vendors & Products Mgb
Mgb opensource Guestbook

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table and column names.
Title MGB OpenSource Guestbook 0.7.0.2 SQL Injection via email.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mgb Opensource Guestbook
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:17.817Z

Reserved: 2026-05-30T12:28:15.767Z

Link: CVE-2018-25411

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:01.853

Modified: 2026-05-30T16:17:01.853

Link: CVE-2018-25411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T20:45:05Z

Weaknesses