Description
202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. Attackers can send POST requests to index.php with crafted SQL payloads using time-based blind injection techniques to extract sensitive database information.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Theft via SQL Injection
Action: Patch
AI Analysis

Impact

202CMS v10 beta has a blind SQL injection flaw that permits unauthenticated attackers to send crafted POST requests to index.php (via the log_user parameter) and manipulate database queries. The vulnerability is a classic SQL Injection (CWE-89) that allows exploitation through time‑based blind techniques to exfiltrate sensitive information from the database, resulting in potential data theft and compromised confidentiality.

Affected Systems

The affected product is Sourceforge:202CMS version 10.0 beta, enumerated by the CPE cpe:2.3:a:konradpl99:202cms:10.0:beta:*:*:*:*:*:*. No other product variants are documented for this vulnerability.

Risk and Exploitability

The flaw carries a high CVSS score of 8.8, indicating severe impact if exploited. The EPSS score is below 1 %, suggesting a low overall likelihood of widespread exploitation, and it is not listed in the CISA KEV catalog. Attackers require no prior authentication and can interact directly with the publicly reachable index.php endpoint, making this a remote, unauthenticated exploitation scenario.

Generated by OpenCVE AI on March 17, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade 202CMS to a non‑beta release that includes vulnerability remediation.
  • If a patch is available, download and apply it from the official Sourceforge project page.
  • Limit access to the registration endpoint by implementing IP whitelisting or requiring reCAPTCHA.
  • Sanitize all input parameters, especially log_user, in the registration script to prevent SQL injection.
  • Deploy web‑application firewall rules to detect and block suspicious SQL injection payloads.
  • Monitor web logs for anomalous POST requests to index.php and investigate promptly.

Generated by OpenCVE AI on March 17, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Konradpl99
Konradpl99 202cms
CPEs cpe:2.3:a:konradpl99:202cms:10.0:beta:*:*:*:*:*:*
Vendors & Products Konradpl99
Konradpl99 202cms

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourceforge
Sourceforge 202cms
Vendors & Products Sourceforge
Sourceforge 202cms

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description 202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. Attackers can send POST requests to index.php with crafted SQL payloads using time-based blind injection techniques to extract sensitive database information.
Title 202CMS v10 beta SQL Injection via register.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Konradpl99 202cms
Sourceforge 202cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:19:47.955Z

Reserved: 2026-03-12T14:27:06.922Z

Link: CVE-2019-25539

cve-icon Vulnrichment

Updated: 2026-03-12T16:19:41.795Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:08.627

Modified: 2026-03-16T17:56:04.813

Link: CVE-2019-25539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:07Z

Weaknesses