Description
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id parameter to extract sensitive database information including usernames and other data.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MOGG web simulator Script contains a classic SQL injection flaw in the play.php endpoint. An unauthenticated attacker can supply a crafted id parameter in a GET request, causing the application to concatenate unsanitized user input into an SQL statement. This permits extraction of sensitive database contents such as usernames and potentially other data, compromising confidentiality. The weakness is categorizable as CWE-89.

Affected Systems

The vulnerability is reported to affect all publicly available versions of the MOGG web simulator Script referenced as spider312:MOGG web simulator Script. No specific edition or version numbers are provided; therefore, all deployments of this script should be assumed vulnerable unless patched.

Risk and Exploitability

The CVSS score is 8.8, classifying the issue as high severity. EPSS data is not available, so the current exploitation probability cannot be quantified, but the lack of authentication requirements suggests the vulnerability could be exploited widely. The vulnerability does not appear in the CISA KEV catalog, indicating no confirmed field‑deployed exploitation yet, but the classic SQL injection vector makes it a strong candidate for automated exploitation tools.

Generated by OpenCVE AI on May 30, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a web application firewall or intrusion detection system to inspect and block SQL injection attempts against play.php.
  • Implement server‑side validation that restricts the id parameter to numeric values or otherwise sanitizes user input before it is incorporated into SQL statements.
  • Monitor web server logs for suspicious patterns of SQL payloads and block offending IP addresses; consider restricting access to play.php to trusted hosts if possible.

Generated by OpenCVE AI on May 30, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Spider312
Spider312 mogg Web Simulator Script
Vendors & Products Spider312
Spider312 mogg Web Simulator Script

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id parameter to extract sensitive database information including usernames and other data.
Title MOGG web simulator Script All Version SQL Injection via play.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Spider312 Mogg Web Simulator Script
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-01T15:09:53.908Z

Reserved: 2026-05-30T13:03:26.740Z

Link: CVE-2018-25422

cve-icon Vulnrichment

Updated: 2026-06-01T15:09:50.687Z

cve-icon NVD

Status : Deferred

Published: 2026-05-30T16:17:03.377

Modified: 2026-06-01T16:55:20.100

Link: CVE-2018-25422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:31Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')