Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Attackers can send GET requests to director.php with crafted SQL payloads in the director parameter to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AiOPMSD Final 1.0.0 contains a SQL injection flaw that lets attackers, without authentication, send crafted GET requests to director.php to inject arbitrary SQL commands. The vulnerability allows arbitrary query execution, enabling attackers to read sensitive database content such as usernames, database names, and version information. This directly compromises confidentiality and could also be used to alter or delete data, impacting integrity.

Affected Systems

The affected product is AiOPMSD Final version 1.0.0 from vendor Aiopmsd.

Risk and Exploitability

The vulnerability score of 8.8 indicates severe impact. It can be triggered remotely over the network by sending a GET request to director.php with malicious payloads. Because no authentication is required, any user with network access can exploit it. No EPSS score is available, but the high CVSS and the fact that the bug is publicly documented on several advisory sites suggest readiness for exploitation. The issue is not listed in the CISA KEV catalog, yet its severity warrants immediate attention.

Generated by OpenCVE AI on May 30, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade AiOPMSD Final to a version that addresses the SQL injection flaw
  • If no patch is available, refactor director.php to use parameterized queries or properly escape user input before including it in SQL statements
  • Restrict direct access to director.php by enabling authentication, using web‑application firewalls, or limiting access to trusted hosts

Generated by OpenCVE AI on May 30, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Attackers can send GET requests to director.php with crafted SQL payloads in the director parameter to extract sensitive database information including usernames, database names, and version details.
Title AiOPMSD Final 1.0.0 SQL Injection via director Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:20.917Z

Reserved: 2026-05-30T12:39:58.178Z

Link: CVE-2018-25415

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:02.390

Modified: 2026-05-30T16:17:02.390

Link: CVE-2018-25415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T16:30:27Z

Weaknesses