Description
MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table and column names.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MGB OpenSource Guestbook 0.7.0.2 contains a SQL injection vulnerability exploitable via the email.php script. The flaw allows unauthenticated users to inject arbitrary SQL code through the 'id' GET parameter, enabling the execution of any SELECT or other SQL statements on the underlying database. Attackers can retrieve sensitive information such as table names, column names, and stored data, thereby compromising the confidentiality of the application’s database.

Affected Systems

The vulnerable product is M-Gb MGB OpenSource Guestbook version 0.7.0.2. Only this released version is known to contain the flaw; newer iterations not listed in the data may include the fix. Users of this application should verify their installed version and apply any available updates.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, and while the EPSS score is not available, the absence of KEV listing does not reduce its threat level. The vulnerability is exploitable through a simple HTTP GET request to the public email.php endpoint, making it remotely reachable. An attacker can read database information and potentially use retrieved credentials to compromise other systems.

Generated by OpenCVE AI on May 30, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MGB OpenSource Guestbook to a version that removes the SQL injection flaw.
  • Restrict access to the email.php endpoint so that only authenticated users can reach it or block it via firewall rules.
  • Modify the code to validate the 'id' parameter and use parameterized queries instead of concatenated SQL statements.

Generated by OpenCVE AI on May 30, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mgb
Mgb opensource Guestbook
Vendors & Products Mgb
Mgb opensource Guestbook

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table and column names.
Title MGB OpenSource Guestbook 0.7.0.2 SQL Injection via email.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mgb Opensource Guestbook
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-01T13:49:58.606Z

Reserved: 2026-05-30T12:28:15.767Z

Link: CVE-2018-25411

cve-icon Vulnrichment

Updated: 2026-06-01T13:49:54.831Z

cve-icon NVD

Status : Deferred

Published: 2026-05-30T16:17:01.853

Modified: 2026-06-01T16:51:36.193

Link: CVE-2018-25411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T20:45:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')