Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Attackers can send GET requests to quality.php with crafted SQL payloads in the quality parameter to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the quality.php script of AiOPMSD Final, where the quality GET parameter is not properly sanitized. This allows attackers to inject arbitrary SQL fragments, enabling execution of any SQL query. The flaw is a classic SQL injection, identified as CWE-89. Attackers can thus retrieve sensitive database information such as usernames, database names, and version details, resulting in potential data disclosure.

Affected Systems

The affected product is AiOPMSD Final 1.0.0, developed by Aiopmsd. No later versions or patches are referenced in the current data, so installations of this specific release remain vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating a high severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely over HTTP using unauthenticated GET requests, requiring only knowledge of the vulnerable URL and standard SQL injection payloads. The low barrier to exploitation and the high potential for data exposure translate into a significant risk for affected systems.

Generated by OpenCVE AI on May 30, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AiOPMSD Final to a patched release that sanitizes the quality parameter or implements prepared statements.
  • If an upgrade is not immediately possible, modify quality.php to validate and escape the quality input, for example by using mysqli_real_escape_string or PDO prepared statements.
  • Restrict the database user account used by the application to the minimum privileges necessary, limiting the impact of any successful injection.
  • Consider deploying a web application firewall to detect and block common SQL injection patterns before they reach the web application.

Generated by OpenCVE AI on May 30, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Attackers can send GET requests to quality.php with crafted SQL payloads in the quality parameter to extract sensitive database information including usernames, database names, and version details.
Title AiOPMSD Final 1.0.0 SQL Injection via quality.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:22.355Z

Reserved: 2026-05-30T12:40:58.205Z

Link: CVE-2018-25417

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:02.717

Modified: 2026-05-30T16:17:02.717

Link: CVE-2018-25417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T16:30:27Z

Weaknesses