Description
News Website Script 2.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the news ID parameter. Attackers can send GET requests to index.php/show/news/ with malicious SQL statements to extract sensitive database information.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database compromise
Action: Immediate Patch
AI Analysis

Impact

A classic SQL injection flaw enables attackers to embed malicious SQL into the news ID parameter of the index.php endpoint. Because the application does not enforce authentication, anyone who can reach the publicly exposed URL can trigger the injection. Successful exploitation lets the attacker retrieve arbitrary data from the backend database, potentially exposing user credentials, site content, or configuration details.

Affected Systems

Phpscriptsmall News Website Script version 2.0.5 is affected. No other major releases are listed as vulnerable in the available data.

Risk and Exploitability

With a CVSS severity of 8.8, the flaw poses high risk. The attack vector is clear: a direct HTTP GET request to /index.php/show/news/ with crafted input. The probability of exploitation is not quantified in the current data, but the absence of authentication and the straightforward injection path indicate a realistic threat. The vulnerability remains uncovered in the known exploited vulnerability catalog, underscoring that it may still be actively abused.

Generated by OpenCVE AI on April 5, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a newer, non‑vulnerable version of News Website Script.
  • If an update is not immediately possible, block or rate‑limit access to the /index.php/show/news/ endpoint using a web‑application firewall or server‑level IP restrictions.
  • Ensure that the database user account used by the application has only the minimum privileges required for its operation.
  • Continuously monitor web‑server logs for unusual GET requests to the vulnerable path and investigate any anomalies.

Generated by OpenCVE AI on April 5, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpscriptsmall:news_website_script:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpscriptsmall
Phpscriptsmall news Website Script
Vendors & Products Phpscriptsmall
Phpscriptsmall news Website Script

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description News Website Script 2.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the news ID parameter. Attackers can send GET requests to index.php/show/news/ with malicious SQL statements to extract sensitive database information.
Title News Website Script 2.0.5 SQL Injection via index.php
First Time appeared News Website Script Project
News Website Script Project news Website Script
Weaknesses CWE-89
CPEs cpe:2.3:a:news_website_script_project:news_website_script:2.0.5:*:*:*:*:*:*:*
Vendors & Products News Website Script Project
News Website Script Project news Website Script
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

News Website Script Project News Website Script
Phpscriptsmall News Website Script
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:36:39.417Z

Reserved: 2026-04-05T13:06:58.747Z

Link: CVE-2019-25668

cve-icon Vulnrichment

Updated: 2026-04-06T18:36:29.006Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:44.240

Modified: 2026-04-20T18:21:59.803

Link: CVE-2019-25668

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:40Z

Weaknesses