Description
OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Attackers can send GET requests to search.php with malicious SQL payloads in the 'where' parameter to extract sensitive database information.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data extraction via unauthenticated SQL injection
Action: Immediate Patch
AI Analysis

Impact

OpenDocMan 1.3.4 contains an SQL injection flaw that allows an attacker to inject arbitrary SQL through the 'where' request parameter. By sending crafted GET requests to search.php, an unauthenticated user can manipulate database queries and read sensitive information, potentially exposing confidential business data. The weakness is a classic input validation error (CWE‑89).

Affected Systems

The vulnerability affects OpenDocMan, specifically the 1.3.4 release. No other versions are reported as affected in the supplied information.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score below 1% shows a low probability of exploitation. The flaw is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The likely attack vector is a network exposure where an external attacker can craft an HTTP GET request to search.php and supply malicious payloads via the 'where' parameter.

Generated by OpenCVE AI on April 9, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to a non‑affected version of OpenDocMan such as 1.3.5 or later.
  • If an immediate upgrade is not possible, implement input sanitization or use parameterized queries to eliminate the injection risk.
  • Configure web application firewalls or request filtering to block suspicious SQL syntax in the 'where' parameter and monitor logs for repeated attempts.

Generated by OpenCVE AI on April 9, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opendocman:opendocman:*:*:*:*:*:*:*:*

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenDocMan 1.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'where' parameter. Attackers can send GET requests to search.php with malicious SQL payloads in the 'where' parameter to extract sensitive database information.
Title OpenDocMan 1.3.4 SQL Injection via where Parameter
First Time appeared Opendocman
Opendocman opendocman
Weaknesses CWE-89
CPEs cpe:2.3:a:opendocman:opendocman:1.3.5:*:*:*:*:*:*:*
Vendors & Products Opendocman
Opendocman opendocman
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opendocman Opendocman
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:07:34.416Z

Reserved: 2026-04-05T15:18:00.186Z

Link: CVE-2019-25684

cve-icon Vulnrichment

Updated: 2026-04-06T15:07:31.142Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:46.970

Modified: 2026-04-09T19:16:05.143

Link: CVE-2019-25684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:19Z

Weaknesses