Description
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Attackers can send GET requests to the egeq.php endpoint with crafted SQL payloads to extract sensitive database information including version details and other data.
Published: 2026-06-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Paroiciel version 11.20 contains a CWE‑89 SQL injection flaw that allows authenticated users to inject arbitrary SQL statements into the eGeqIdEquipe parameter via GET requests to egeq.php. The vulnerability can be exploited to read or modify sensitive data stored in the application database, potentially exposing user credentials, business data, and system configuration.

Affected Systems

The flaw applies to installations of Paroiciel product 11.20; the vendor Paroiciel is the affected supplier. No additional version information is provided beyond 11.20, so all instances of this version are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact with moderate to high exploitability. The EPSS score is not available, and the vulnerability is not listed in KEV, but the attack requires valid authentication and direct URL manipulation. Because only authenticated users can trigger the injection, privileged accounts are the primary threat vector. The risk is considered significant, especially in environments where the database contains sensitive information.

Generated by OpenCVE AI on June 1, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Paroiciel to the latest patched version that resolves the eGeqIdEquipe SQL injection flaw.
  • Restrict access to the egeq.php endpoint so that only users with the minimum required privileges can reach it, and revoke any super‑user roles that are no longer needed.
  • Modify the application code to employ parameterized queries or prepared statements when processing the eGeqIdEquipe value, eliminating direct string concatenation of user input into SQL statements.

Generated by OpenCVE AI on June 1, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Attackers can send GET requests to the egeq.php endpoint with crafted SQL payloads to extract sensitive database information including version details and other data.
Title Paroiciel 11.20 SQL Injection via eGeqIdEquipe Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T15:46:03.401Z

Reserved: 2026-05-31T13:03:17.626Z

Link: CVE-2018-25430

cve-icon Vulnrichment

Updated: 2026-06-02T15:13:09.753Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T22:16:16.300

Modified: 2026-06-02T14:43:49.920

Link: CVE-2018-25430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T22:30:03Z

Weaknesses