Description
phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.
Published: 2026-03-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Database Access
Action: Immediate Patch
AI Analysis

Impact

The bug is a classic SQL injection flaw in the GeneratePDF.php handler of phpTransformer 2016.9. A malicious attacker can send a crafted GET request with a payload inserted into the idnews parameter, causing the application to execute the supplied SQL statement against the underlying database. The consequence is that an attacker can read sensitive tables, dump passwords, or modify data, leading to data exfiltration and integrity compromise.

Affected Systems

The vulnerable software is phpTransformer version 2016.9 from the vendor Phptransformer. Only this specific release is affected; newer releases are not listed as vulnerable.

Risk and Exploitability

The CVSS base score is 8.8, indicating a high severity, while the EPSS score is currently below 1%, suggesting a low probability that the vulnerability will be actively exploited today. It is not in the CISA KEV catalog. The most likely attack vector is remote over the network, via ordinary HTTP GET requests to the GeneratePDF.php endpoint, as no authentication or other pre‑conditions are explicitly required in the description.

Generated by OpenCVE AI on March 26, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade phpTransformer to the latest available version that addresses the SQL injection issue.
  • If an upgrade is not immediately possible, restrict access to the GeneratePDF.php URL using web‑application firewall rules or network ACLs.
  • As a temporary measure, remove or disable the GeneratePDF.php script from the public web directory.
  • Validate and sanitize all input parameters on the server side, ensuring that idnews is treated as an integer or a safe value.

Generated by OpenCVE AI on March 26, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Codnloc
Codnloc phptransformer
Weaknesses CWE-89
CPEs cpe:2.3:a:codnloc:phptransformer:2016.9:*:*:*:*:*:*:*
Vendors & Products Codnloc
Codnloc phptransformer
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Phptransformer
Phptransformer phptransformer
Vendors & Products Phptransformer
Phptransformer phptransformer

Sat, 21 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract sensitive database information or manipulate queries.
Title phpTransformer 2016.9 SQL Injection via GeneratePDF.php
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Codnloc Phptransformer
Phptransformer Phptransformer
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T16:17:10.981Z

Reserved: 2026-03-21T15:25:19.390Z

Link: CVE-2019-25578

cve-icon Vulnrichment

Updated: 2026-03-23T15:36:58.004Z

cve-icon NVD

Status : Modified

Published: 2026-03-21T16:16:01.730

Modified: 2026-03-26T17:16:24.917

Link: CVE-2019-25578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:26Z

Weaknesses