Description
Inout Article Base CMS contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters. Attackers can inject SQL code using XOR-based payloads in GET requests to portalLogin.php to extract sensitive database information or cause denial of service through time-based attacks.
Published: 2026-03-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unvalidated SQL injection that appears in the portalLogin.php endpoint of Inout Article Base CMS. Attackers can supply 'p' and 'u' parameters via a GET request, using XOR-based payloads, to influence SQL queries and retrieve sensitive data or trigger time‑based delays. The primary impact is that an unauthenticated user could read confidential database content or cause a denial of service, while the weakness is classed as CWE‑89.

Affected Systems

The affected product is Inout Article Base CMS from Inoutscripts. Specific version information is not disclosed in the data, so the risk applies to all publicly available builds of this CMS until a patch is issued.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability is considered high severity. No EPSS score is available, and it is not presently listed in the CISA KEV catalog. The attack can be carried out over the network by sending crafted GET requests to portalLogin.php; because the vector does not require authentication, any client with network access can exploit it.

Generated by OpenCVE AI on March 24, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or support portal for a patch or newer version that removes the injection vulnerability.
  • If a patch is not yet available, restrict network access to portalLogin.php or deploy a web application firewall rule to block suspicious SQL injection patterns.
  • Ensure that all input parameters are properly sanitized or parameterized in the application code.
  • Monitor application logs for abnormal query patterns or long‑running SQL statements and investigate any anomalies.

Generated by OpenCVE AI on March 24, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Inoutscripts
Inoutscripts inout Article Base Cms
Vendors & Products Inoutscripts
Inoutscripts inout Article Base Cms

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Inout Article Base CMS contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters. Attackers can inject SQL code using XOR-based payloads in GET requests to portalLogin.php to extract sensitive database information or cause denial of service through time-based attacks.
Title Inout Article Base CMS Lastest SQL Injection via portalLogin.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Inoutscripts Inout Article Base Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T13:45:44.856Z

Reserved: 2026-03-24T11:03:56.474Z

Link: CVE-2019-25640

cve-icon Vulnrichment

Updated: 2026-03-24T13:45:28.276Z

cve-icon NVD

Status : Deferred

Published: 2026-03-24T12:16:05.193

Modified: 2026-05-01T14:41:28.180

Link: CVE-2019-25640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:39:31Z

Weaknesses