Description
Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data.
Published: 2026-04-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data exfiltration via SQL Injection
Action: Apply Patch
AI Analysis

Impact

This vulnerability is an authenticated SQL injection flaw that resides in the search parameter of Newsbull Haber Script 1.0.0. Once an attacker has a legitimate user session, they can inject malicious SQL into endpoint searches such as /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs. The injected payloads can be delivered using time‑based, blind, or boolean‑based techniques to read sensitive data from the database. The primary consequence is the uncontrolled disclosure of stored information such as user credentials, configuration data, or any other data the database contains. No direct privilege escalation or arbitrary code execution is implied.

Affected Systems

The affected product is Newsbull Haber Script version 1.0.0, as disclosed by the CNA. No other releases or versions are documented as vulnerable, so systems running this exact version are at risk. Protection of the system is contingent upon mitigating or patching this specific edition.

Risk and Exploitability

The CVSS score of 7.1 marks this issue as high severity. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the web application; once authenticated, an attacker can send crafted search queries that manipulate SQL statements and retrieve confidential data. The weakness does not enable remote code execution or system compromise beyond data exfiltration, but the high potential impact warrants prompt remediation.

Generated by OpenCVE AI on April 12, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch or upgrade to a fixed version of Newsbull Haber Script.
  • If a patch is not yet available, disable or remove the exposed search endpoints from the administration area.
  • Configure the database user account used by the application to have the minimum privileges required for normal operation, limiting the scope of data that can be accessed.
  • Audit the application code to ensure that all user input is sanitized and database queries are built using parameterized statements to eliminate injection vectors.
  • Deploy a Web Application Firewall (WAF) to detect and block suspicious SQL patterns targeting the search parameter.
  • Monitor web server and database logs for anomalous query patterns or repeated failed login attempts that could indicate exploitation attempts.

Generated by OpenCVE AI on April 12, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gurkanuzunca
Gurkanuzunca newsbull
CPEs cpe:2.3:a:gurkanuzunca:newsbull:1.0.0:*:*:*:*:*:*:*
Vendors & Products Gurkanuzunca
Gurkanuzunca newsbull

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Newsbull
Newsbull newsbull Haber Script
Vendors & Products Newsbull
Newsbull newsbull Haber Script

Sun, 12 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data.
Title Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gurkanuzunca Newsbull
Newsbull Newsbull Haber Script
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T18:06:18.270Z

Reserved: 2026-04-05T15:36:33.509Z

Link: CVE-2019-25699

cve-icon Vulnrichment

Updated: 2026-04-13T17:58:09.779Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T13:16:32.770

Modified: 2026-04-17T16:43:44.013

Link: CVE-2019-25699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:55:56Z

Weaknesses