Description
ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET requests to pdfstream.php, imagestream.php, or anyfilestream.php with crafted SQL payloads in the IMG parameter to extract sensitive database information including version and database names.
Published: 2026-03-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

ownDMS 4.7 contains a SQL injection flaw that can be triggered by supplying a crafted value to the IMG parameter in the pdfstream.php, imagestream.php, and anyfilestream.php scripts. An unauthenticated attacker can send a simple HTTP GET request to these endpoints and cause the server to execute arbitrary SQL statements, allowing the attacker to read sensitive database information such as version names and other data stored in the database.

Affected Systems

The vulnerability applies to all deployments of ownDMS version 4.7 that include the vulnerable image‑streaming PHP scripts. Regardless of user permissions, any instance of this software with the original pdfstream.php, imagestream.php, or anyfilestream.php files present is susceptible.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity risk. Because the flaw is reachable via unauthenticated HTTP requests, an attacker need only craft a URL with malicious IMG data; no prior authentication or privileged access is required. No EPSS score or KEV listing is available, but the nature of the vulnerability and its high CVSS indicate that exploitation is likely feasible in vulnerable, publicly accessible deployments.

Generated by OpenCVE AI on March 21, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade to a non‑vulnerable ownDMS version
  • If an immediate upgrade is not possible, block unauthenticated access to pdfstream.php, imagestream.php, and anyfilestream.php at the web server or firewall level
  • Implement strict input validation or an allow‑list for the IMG parameter to reject SQL injection payloads
  • Monitor web application logs for suspicious query patterns to detect potential exploitation attempts

Generated by OpenCVE AI on March 21, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Owndms
Owndms owndms
Vendors & Products Owndms
Owndms owndms

Sat, 21 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET requests to pdfstream.php, imagestream.php, or anyfilestream.php with crafted SQL payloads in the IMG parameter to extract sensitive database information including version and database names.
Title ownDMS 4.7 SQL Injection via pdfstream.php imagestream.php
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Owndms Owndms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:34:46.408Z

Reserved: 2026-03-21T15:28:57.128Z

Link: CVE-2019-25580

cve-icon Vulnrichment

Updated: 2026-03-23T16:34:41.711Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T16:16:02.110

Modified: 2026-03-23T14:31:37.267

Link: CVE-2019-25580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:03Z

Weaknesses