Description
CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials.
Published: 2026-04-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in CMSsite 1.0 is a classic SQL injection where an attacker can embed arbitrary SQL code into the cat_id parameter of category.php. By crafting a malicious value and sending a simple HTTP GET request, an unauthenticated user can cause the application to perform unintended database operations. The exploit allows extraction of sensitive data such as usernames and passwords, thereby compromising the confidentiality of the system's user accounts.

Affected Systems

VictorAlagwu’s CMSsite version 1.0 is affected. Users running this CMS on any environment where category.php is reachable and the cat_id parameter accepts user input without validation are exposed. The problem is confined to the open‑source codebase provided by the vendor; no other products or versions were identified.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as critical, and while there is no EPSS data available, the lack of requirement for authentication and the simplicity of the GET request suggest a high likelihood of exploitation once a vulnerable instance is discovered. The vulnerability is not listed in the KEV catalog, indicating that no publicly known exploits have been reported yet, but the attack vector is remote over the network and could be automated. Organizations should treat this as a high‑priority risk until a fix is applied.

Generated by OpenCVE AI on April 12, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CMSsite to a version that removes the SQL injection flaw or, if unavailable, apply the vendor’s patch when released.
  • Modify the application to use prepared statements or parameterized queries for the cat_id input.
  • Restrict direct access to category.php from the web, allowing only trusted roles or IP addresses.
  • Validate and sanitize all user input on the cat_id parameter, rejecting non‑numeric values.
  • Monitor web traffic for unusual GET requests to category.php and alert on potential injection attempts.

Generated by OpenCVE AI on April 12, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:victoralagwu:cmssite:1.0:*:*:*:*:*:*:*

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Victoralagwu
Victoralagwu cmssite
Vendors & Products Victoralagwu
Victoralagwu cmssite

Sun, 12 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials.
Title CMSsite 1.0 SQL Injection via category.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Victoralagwu Cmssite
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T17:29:00.738Z

Reserved: 2026-04-05T15:35:39.786Z

Link: CVE-2019-25697

cve-icon Vulnrichment

Updated: 2026-04-13T17:28:57.083Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T13:16:32.603

Modified: 2026-04-17T16:41:44.963

Link: CVE-2019-25697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:55:57Z

Weaknesses