Description
202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. Attackers can send crafted requests with malicious SQL statements in the log_user field to extract sensitive database information or modify database contents.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Compromise
Action: Patch
AI Analysis

Impact

The vulnerability is an SQL injection in the log_user parameter that allows attackers to insert arbitrary SQL into database queries. This can lead to unauthorized extraction of sensitive data or alteration of database contents. The weakness is identified as CWE-89, a classic input validation flaw.

Affected Systems

The affected system is Sourceforge:202CMS v10 beta (cpe:2.3:a:konradpl99:202cms:10.0:beta:*:*:*:*:*:*). No further versions are specified beyond the beta release; therefore any instance running 202CMS 10.0 beta is vulnerable.

Risk and Exploitability

The CVSS v3 score of 8.8 marks this as High severity. The EPSS score is below 1%, indicating low likelihood of exploitation, and it is not listed in KEV, so zero-day exploitation cases are currently unknown. Because the parameter is publicly exposed and authentication is not required, the attack vector is inferred to be remote and unauthenticated. Exploitation would involve sending a crafted request to the vulnerable endpoint, injecting SQL that the application fails to sanitize.

Generated by OpenCVE AI on March 17, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of 202CMS (v10 or later) from Sourceforge that removes the vulnerable log_user parameter handling.
  • If an upgrade is not immediately possible, restrict the log_user parameter to expected values and implement input validation or parameterized queries.
  • Monitor for abnormal SQL activity and inspect logs for injected queries.

Generated by OpenCVE AI on March 17, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Konradpl99
Konradpl99 202cms
CPEs cpe:2.3:a:konradpl99:202cms:10.0:beta:*:*:*:*:*:*
Vendors & Products Konradpl99
Konradpl99 202cms

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourceforge
Sourceforge 202cms
Vendors & Products Sourceforge
Sourceforge 202cms

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description 202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. Attackers can send crafted requests with malicious SQL statements in the log_user field to extract sensitive database information or modify database contents.
Title 202CMS v10 beta SQL Injection via log_user Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Konradpl99 202cms
Sourceforge 202cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:20:14.733Z

Reserved: 2026-03-12T14:26:15.503Z

Link: CVE-2019-25538

cve-icon Vulnrichment

Updated: 2026-03-12T16:20:04.217Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:08.400

Modified: 2026-03-16T17:53:57.243

Link: CVE-2019-25538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:07Z

Weaknesses