Description
Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names.
Published: 2026-05-30
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in the query parameters of Yot CMS 3.3.1 that lets any user send specially crafted GET requests containing malicious code in the aid or cid fields. These requests are passed directly to the database engine, enabling the execution of arbitrary SQL statements. The impact is the ability to read, modify, or delete data in the underlying database, including table and column names, user credentials, and application configuration values.

Affected Systems

Yot CMS version 3.3.1 is affected. No other versions are mentioned as vulnerable, so only installations running this exact version are at risk.

Risk and Exploitability

The CVSS score of 8.8 classifies this issue as high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: an unauthenticated attacker only needs to send a crafted HTTP GET request to index.php with malicious payloads in aid or cid. No prior authentication or escalation is required, making exploitation straightforward for a web attacker.

Generated by OpenCVE AI on May 30, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Yot CMS to the latest available version or apply any vendor-provided patch that fixes the SQL injection flaw.
  • If an update is not possible, restrict the aid and cid parameters to numeric values only or remove them from public URLs to prevent SQL injection attempts.
  • Deploy a web application firewall or pattern matching rule that blocks suspicious SQL keywords within query strings to mitigate exploitation.

Generated by OpenCVE AI on May 30, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names.
Title Yot CMS 3.3.1 SQL Injection via aid and cid Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:28.708Z

Reserved: 2026-05-30T14:44:13.144Z

Link: CVE-2018-25425

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:03.847

Modified: 2026-05-30T16:17:03.847

Link: CVE-2018-25425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T16:30:27Z

Weaknesses