Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre parameter to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AiOPMSD Final 1.0.0 contains a classic SQL injection flaw that does not require authentication; an attacker can embed malicious SQL code into the genre query string and cause the application to execute arbitrary SQL statements. This flaw corresponds to CWE‑89 and allows an attacker to read sensitive database information such as user names, database names, and the database version, thereby compromising confidentiality and potentially enabling further post‑exploitation steps.

Affected Systems

AiOPMSD Final version 1.0.0 is affected. No other vendor or product variations are listed.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity and broad impact. No embedded EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, so explicit exploitation likelihood is uncertain, yet an exploit exists in public exploit repositories. Attackers can trigger the vulnerability via unauthenticated HTTP GET requests to genre.php, so the attack surface is the public network and the risk is moderate to high for exposed installations.

Generated by OpenCVE AI on May 30, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AiOPMSD Final to a patched version that resolves the SQL injection flaw
  • Sanitize the genre parameter on the server side or use parameterized queries to eliminate unsanitized input
  • Limit access to genre.php by applying network ACLs or IP whitelisting to restrict who can send requests to the vulnerable endpoint

Generated by OpenCVE AI on May 30, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Aiopmsd
Aiopmsd aiopmsd Final
Vendors & Products Aiopmsd
Aiopmsd aiopmsd Final

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre parameter to extract sensitive database information including usernames, database names, and version details.
Title AiOPMSD Final 1.0.0 SQL Injection via genre.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aiopmsd Aiopmsd Final
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-01T15:03:08.330Z

Reserved: 2026-05-30T12:48:30.863Z

Link: CVE-2018-25419

cve-icon Vulnrichment

Updated: 2026-06-01T15:02:41.192Z

cve-icon NVD

Status : Deferred

Published: 2026-05-30T16:17:02.980

Modified: 2026-06-01T16:51:36.193

Link: CVE-2018-25419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:35Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')