Description
MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data.
Published: 2026-04-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Immediately
AI Analysis

Impact

The flaw arises from improper handling of the Charge[group_total] parameter at the /charge/admin endpoint in MyT‑PM 1.5.1. Because the application does not sanitize input, authenticated attackers can inject arbitrary SQL, allowing them to read or alter database data. This results in loss of confidentiality and integrity for sensitive information and may enable further manipulation of system state.

Affected Systems

The affected product is MyT:Project Management version 1.5.1, with the vulnerability located in the Charges module accessed through /charge/admin.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact. Although exploit probability (EPSS) data is not available, the vulnerability requires valid authentication, meaning only users with credentials can exploit it. Attackers can send crafted POST requests using error‑based, time‑based blind, or stacked query payloads to extract or modify data. The vulnerability is not listed in the CISA KEV catalog, implying no public exploitation at the time of reporting.

Generated by OpenCVE AI on April 12, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a fixed version of MyT‑PM.
  • If a patch is unavailable, limit access to the /charge/admin endpoint to privileged accounts and monitor for anomalous POST activity.
  • Validate or sanitize the Charge[group_total] input on the server side before execution.
  • If the Charges feature is not required, disable or remove it from the installation.

Generated by OpenCVE AI on April 12, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Myt Project
Myt Project myt
CPEs cpe:2.3:a:myt_project:myt:1.5.1:*:*:*:*:*:*:*
Vendors & Products Myt Project
Myt Project myt

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Myt
Myt project Management
Vendors & Products Myt
Myt project Management

Sun, 12 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data.
Title MyT-PM 1.5.1 SQL Injection via Charge[group_total] Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Myt Project Management
Myt Project Myt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T17:28:06.510Z

Reserved: 2026-04-12T12:21:48.260Z

Link: CVE-2019-25713

cve-icon Vulnrichment

Updated: 2026-04-13T17:28:02.413Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T13:16:34.620

Modified: 2026-04-17T14:04:08.673

Link: CVE-2019-25713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:54:06Z

Weaknesses