Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unfiltered SQL injection in the 'q' parameter of search.php that can be exploited by unauthenticated users via HTTP GET requests. Attackers can inject arbitrary SQL statements, allowing them to read sensitive data such as usernames, database names, and server version details. This weakness aligns with CWE‑89 and results in substantial confidentiality loss if the database contains private information.

Affected Systems

The affected product is AiOPMSD Final version 1.0.0, released by Aiopmsd. No other product variations are listed.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity exploit. No EPSS data is available, so the exact exploitation probability is uncertain, and the vulnerability is not listed in the CISA KEV catalog. Because authentication is not required, the attack can originate from any network host that can reach the web server, making exposure widespread. Exploitation leverages the public search endpoint, so the vector is network-based.

Generated by OpenCVE AI on May 30, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of AiOPMSD Final or migrate to a newer release that resolves the SQL injection.
  • Restrict access to search.php so that only authenticated users can reach it, or block the endpoint entirely via web server configuration or firewall rules.
  • Rewrite the vulnerable code to use parameterized SQL statements and validate the 'q' input according to secure coding practices.

Generated by OpenCVE AI on May 30, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Title AiOPMSD Final 1.0.0 SQL Injection via search.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:19.369Z

Reserved: 2026-05-30T12:36:39.689Z

Link: CVE-2018-25413

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:02.130

Modified: 2026-05-30T16:17:02.130

Link: CVE-2018-25413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T16:30:27Z

Weaknesses