Description
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. Attackers can bypass authentication by submitting equals signs and 'or' operators as username and password parameters to access the administration panel without valid credentials.
Published: 2026-03-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass leading to unauthenticated administrative access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in Jettweb PHP Hazir Haber Sitesi Scripti V3 due to improper handling of login credentials in login.php. By submitting crafted SQL syntax containing equals signs and 'or' operators as both username and password, an attacker can bypass authentication and gain unrestricted administrative control over the site. This results in full control of the web application, allowing an attacker to alter content, modify configurations, or exfiltrate sensitive data. The weakness is a classical SQL Injection reflected in an authentication context (CWE-89).

Affected Systems

Affected vendor: Jettweb; product: Hazir Haber Sitesi Scripti V3 (also listed as php_stock_news_site_script). No specific affected version information is provided by the CNA; however the CPE string cpe:2.3:a:jettweb:php_stock_news_site_script:3:*:*:*:*:*:*:* indicates the vulnerability exists in version 3 of the script.

Risk and Exploitability

The CVSS base score is 8.7, indicating high severity. EPSS is less than 1%, suggesting low likelihood of recent exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this by sending an unauthenticated HTTP request to the login.php endpoint with specially crafted parameters, thereby bypassing authentication. Because the vulnerability is not yet widely exploited, monitoring for suspicious login attempts and enforcing network-level restrictions is also advisable.

Generated by OpenCVE AI on March 17, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether Jettweb has released a patch or newer version that fixes the authentication bypass, and apply it immediately
  • If no patch is available, remove or rename the login.php file to disable the vulnerable administrative panel
  • Restrict access to the remaining administrative URL to trusted IP addresses or enforce additional authentication measures

Generated by OpenCVE AI on March 17, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jettweb php Stock News Site Script
CPEs cpe:2.3:a:jettweb:php_stock_news_site_script:3:*:*:*:*:*:*:*
Vendors & Products Jettweb php Stock News Site Script

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Jettweb
Jettweb hazir Haber Sitesi Scripti
Vendors & Products Jettweb
Jettweb hazir Haber Sitesi Scripti

Thu, 12 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. Attackers can bypass authentication by submitting equals signs and 'or' operators as username and password parameters to access the administration panel without valid credentials.
Title Jettweb PHP Hazir Haber Sitesi Scripti V3 Authentication Bypass
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Jettweb Hazir Haber Sitesi Scripti Php Stock News Site Script
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T18:54:11.417Z

Reserved: 2026-03-12T13:49:47.791Z

Link: CVE-2019-25515

cve-icon Vulnrichment

Updated: 2026-03-12T18:54:03.234Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:04.077

Modified: 2026-03-17T19:30:49.837

Link: CVE-2019-25515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:27Z

Weaknesses