Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Attackers can send GET requests to actor.php with crafted SQL payloads in the actor parameter to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AiOPMSD Final 1.0.0 contains a SQL injection flaw in actor.php that allows attackers with no authentication to craft GET requests containing malicious SQL. By injecting payloads into the actor parameter, an attacker can execute arbitrary SQL statements, enabling extraction of sensitive information such as usernames, database names, and version details. The vulnerability is a classic input‑validation weakness classified as CWE‑89, which can lead to compromise of database confidentiality and integrity.

Affected Systems

The affected product is AiOPMSD Final. The CVE identifies version 1.0.0 as vulnerable; no other versions are listed in the CNA data.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. EPSS is not available, so the likelihood of exploitation cannot be quantified from public data. The vulnerability is not listed in CISA’s KEV catalog. Attackers can reach the flaw via unauthenticated HTTP requests to actor.php, making the attack vector web‑based and remote. Given the high score and the lack of authentication requirement, the risk to exposed data is significant.

Generated by OpenCVE AI on May 30, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AiOPMSD to a known patched release or request a vendor fix if one is available.
  • If no patch is available, restrict external access to actor.php using firewall rules or .htaccess to block GET requests from untrusted hosts.
  • Modify the application to validate and sanitize the actor parameter, ensuring all database interactions use parameterized queries or prepared statements to prevent injection.

Generated by OpenCVE AI on May 30, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Aiopmsd
Aiopmsd aiopmsd Final
Vendors & Products Aiopmsd
Aiopmsd aiopmsd Final

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Attackers can send GET requests to actor.php with crafted SQL payloads in the actor parameter to extract sensitive database information including usernames, database names, and version details.
Title AiOPMSD Final 1.0.0 SQL Injection via actor.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aiopmsd Aiopmsd Final
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T18:48:14.421Z

Reserved: 2026-05-30T12:37:07.350Z

Link: CVE-2018-25414

cve-icon Vulnrichment

Updated: 2026-06-02T18:46:50.764Z

cve-icon NVD

Status : Deferred

Published: 2026-05-30T16:17:02.257

Modified: 2026-06-01T16:51:36.193

Link: CVE-2018-25414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:42Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')