Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unfiltered SQL injection in the 'q' parameter of search.php that can be exploited by unauthenticated users via HTTP GET requests. Attackers can inject arbitrary SQL statements, allowing them to read sensitive data such as usernames, database names, and server version details. This weakness aligns with CWE‑89 and results in substantial confidentiality loss if the database contains private information.

Affected Systems

The affected product is AiOPMSD Final version 1.0.0, released by Aiopmsd. No other product variations are listed.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity exploit. No EPSS data is available, so the exact exploitation probability is uncertain, and the vulnerability is not listed in the CISA KEV catalog. Because authentication is not required, the attack can originate from any network host that can reach the web server, making exposure widespread. Exploitation leverages the public search endpoint, so the vector is network-based.

Generated by OpenCVE AI on May 30, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of AiOPMSD Final or migrate to a newer release that resolves the SQL injection.
  • Restrict access to search.php so that only authenticated users can reach it, or block the endpoint entirely via web server configuration or firewall rules.
  • Rewrite the vulnerable code to use parameterized SQL statements and validate the 'q' input according to secure coding practices.

Generated by OpenCVE AI on May 30, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Aiopmsd
Aiopmsd aiopmsd Final
Vendors & Products Aiopmsd
Aiopmsd aiopmsd Final

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Title AiOPMSD Final 1.0.0 SQL Injection via search.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aiopmsd Aiopmsd Final
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-01T15:04:56.197Z

Reserved: 2026-05-30T12:36:39.689Z

Link: CVE-2018-25413

cve-icon Vulnrichment

Updated: 2026-06-01T15:04:42.720Z

cve-icon NVD

Status : Deferred

Published: 2026-05-30T16:17:02.130

Modified: 2026-06-01T16:51:36.193

Link: CVE-2018-25413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:43Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')