Description
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to bypass authentication, extract sensitive data, or modify database contents.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in XooGallery's results.php file, where the 'p' parameter is incorporated into database queries without proper sanitization. Exploitation allows an unauthenticated attacker to inject arbitrary SQL statements. Successful injection can bypass authentication checks, read confidential database information, or alter or delete records. The weakness is a classic SQL Injection (CWE‑89).

Affected Systems

Xooscripts XooGallery is the affected product. No specific affected version range is supplied in the available data, so all current releases of XooGallery remain potentially vulnerable until an official update is released.

Risk and Exploitability

The CVSS score of 8.8 categorizes the issue as high severity, and the EPSS score indicates a very low probability of exploitation in the wild. The vulnerability is accessible over the public internet via a simple HTTP GET request to results.php, making it remotely exploitable without authentication. While no known active exploits are reported and it is absent from the CISA KEV catalog, the impact—unauthenticated data exfiltration or modification—warrants immediate attention.

Generated by OpenCVE AI on March 23, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Xooscripts website for a security patch or an update that addresses the SQL injection in results.php.
  • If no patch is available, limit direct access to results.php by configuring the web server or firewall to allow only trusted IP addresses.
  • Configure the application to validate input or convert the 'p' parameter to use parameterized queries, preventing malicious SQL code from being executed.
  • Consider deploying a Web Application Firewall to detect and block SQL injection attempts targeting XooGallery.

Generated by OpenCVE AI on March 23, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xooscripts:xoogallery:-:*:*:*:*:*:*:*

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Xooscripts
Xooscripts xoogallery
Vendors & Products Xooscripts
Xooscripts xoogallery

Thu, 12 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to bypass authentication, extract sensitive data, or modify database contents.
Title XooGallery Lastest Latest SQL Injection via results.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xooscripts Xoogallery
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T18:39:49.758Z

Reserved: 2026-03-12T13:55:58.326Z

Link: CVE-2019-25524

cve-icon Vulnrichment

Updated: 2026-03-12T18:39:42.474Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:05.700

Modified: 2026-03-23T13:39:49.133

Link: CVE-2019-25524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:49Z

Weaknesses