Description
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id parameter to extract sensitive database information including usernames and other data.
Published: 2026-05-30
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MOGG web simulator Script contains a classic SQL injection flaw in the play.php endpoint. An unauthenticated attacker can supply a crafted id parameter in a GET request, causing the application to concatenate unsanitized user input into an SQL statement. This permits extraction of sensitive database contents such as usernames and potentially other data, compromising confidentiality. The weakness is categorizable as CWE-89.

Affected Systems

The vulnerability is reported to affect all publicly available versions of the MOGG web simulator Script referenced as spider312:MOGG web simulator Script. No specific edition or version numbers are provided; therefore, all deployments of this script should be assumed vulnerable unless patched.

Risk and Exploitability

The CVSS score is 8.8, classifying the issue as high severity. EPSS data is not available, so the current exploitation probability cannot be quantified, but the lack of authentication requirements suggests the vulnerability could be exploited widely. The vulnerability does not appear in the CISA KEV catalog, indicating no confirmed field‑deployed exploitation yet, but the classic SQL injection vector makes it a strong candidate for automated exploitation tools.

Generated by OpenCVE AI on May 30, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a web application firewall or intrusion detection system to inspect and block SQL injection attempts against play.php.
  • Implement server‑side validation that restricts the id parameter to numeric values or otherwise sanitizes user input before it is incorporated into SQL statements.
  • Monitor web server logs for suspicious patterns of SQL payloads and block offending IP addresses; consider restricting access to play.php to trusted hosts if possible.

Generated by OpenCVE AI on May 30, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id parameter to extract sensitive database information including usernames and other data.
Title MOGG web simulator Script All Version SQL Injection via play.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:26.042Z

Reserved: 2026-05-30T13:03:26.740Z

Link: CVE-2018-25422

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:03.377

Modified: 2026-05-30T16:17:03.377

Link: CVE-2018-25422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T16:30:27Z

Weaknesses