Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A classic SQL injection flaw exists in the year parameter of the year.php script of AiOPMSD Final, allowing attackers to execute arbitrary SQL queries without authentication. This can lead to the extraction of sensitive database information, including usernames, database names, and version details, thereby violating confidentiality and integrity.

Affected Systems

The vulnerability is present in AiOPMSD Final 1.0.0, distributed by the Aiopmsd:AiOPMSD Final vendor.

Risk and Exploitability

With a CVSS score of 8.8 and no EPSS data available, the risk is high and the likelihood of exploitation remains substantial. The flaw can be triggered via simple unauthenticated GET requests to year.php, and it is not listed in the CISA KEV catalog, indicating no confirmed exploitation cases yet, but still posing a significant threat if left unmitigated.

Generated by OpenCVE AI on May 30, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AiOPMSD Final to the newest release in which the SQL injection is resolved.
  • If no patch is available, enforce input validation that rejects any non‑numeric input for the year parameter before it reaches the backend.
  • Modify the application to use prepared statements or PDO with bound parameters for all queries involving the year value.
  • Restrict the database user privileges associated with the web application to only allow SELECT operations, preventing destructive queries.

Generated by OpenCVE AI on May 30, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Aiopmsd
Aiopmsd aiopmsd Final
Vendors & Products Aiopmsd
Aiopmsd aiopmsd Final

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter to extract sensitive database information including usernames, database names, and version details.
Title AiOPMSD Final 1.0.0 SQL Injection via year.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aiopmsd Aiopmsd Final
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T02:10:48.503Z

Reserved: 2026-05-30T12:41:22.679Z

Link: CVE-2018-25418

cve-icon Vulnrichment

Updated: 2026-06-02T02:10:41.033Z

cve-icon NVD

Status : Deferred

Published: 2026-05-30T16:17:02.847

Modified: 2026-06-01T16:51:36.193

Link: CVE-2018-25418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:37Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')