Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to watch.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AiOPMSD Final 1.0.0 contains a classic SQL injection flaw that permits attackers to inject arbitrary SQL through the 'id' GET parameter on watch.php without needing authentication. The vulnerability can be abused to query internal tables and retrieve sensitive information such as usernames, database names, and version details, effectively allowing data exfiltration and potentially aiding further attacks. This weakness tests the CWE-89 category of injection flaws.

Affected Systems

This issue affects the AiOPMSD Final application, version 1.0.0, as distributed from the official project site.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and while the EPSS value is not published, the lack of a known exploitation restriction and the vulnerability’s absence from the KEV catalog suggest it remains a realistic threat. Attackers can pose as unwarranted users by sending crafted GET requests to watch.php. The flaw does not require special privileges or network access beyond visibility to the web interface, making it a practical vector for unauthenticated data compromise.

Generated by OpenCVE AI on May 30, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AiOPMSD to the latest release from the official repository, which incorporates the SQL injection fix.
  • Enforce network access controls to restrict external users from reaching the web server hosting watch.php, such as applying IP whitelisting or firewall rules.
  • Deploy a web application firewall (WAF) or input validation layer that blocks suspicious SQL patterns in the 'id' parameter, providing an interim protection while the patch is applied.

Generated by OpenCVE AI on May 30, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Aiopmsd
Aiopmsd aiopmsd Final
Vendors & Products Aiopmsd
Aiopmsd aiopmsd Final

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to watch.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
Title AiOPMSD Final 1.0.0 SQL Injection via watch.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aiopmsd Aiopmsd Final
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-01T15:04:30.580Z

Reserved: 2026-05-30T12:48:55.100Z

Link: CVE-2018-25420

cve-icon Vulnrichment

Updated: 2026-06-01T15:04:14.201Z

cve-icon NVD

Status : Deferred

Published: 2026-05-30T16:17:03.110

Modified: 2026-06-01T16:51:36.193

Link: CVE-2018-25420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:34Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')