Description
All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames, databases, and version details.
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

All in One Video Downloader 1.2 contains a classic SQL injection flaw that can be triggered by unsanitized input in the id parameter of the admin interface. Because the application does not require authentication for this endpoint, an attacker can send specially crafted requests to the site and retrieve sensitive information from the database, such as usernames, database names, and MySQL version details. The vulnerability exposes the logic to arbitrary SQL code execution, allowing data theft and potentially enabling deeper compromise of the web application.

Affected Systems

The affected product is Nicheoffice’s All in One Video Downloader, version 1.2. No other versions are listed as insecure in the current advisory.

Risk and Exploitability

The CVSS score of 8.8 marks the flaw as high‑severity, and the absence of authentication control makes exploitation trivial for an attacker with network access to the admin page. Because the EPSS score is not available, the exact likelihood of attack cannot be quantified, but the fact that the vulnerability is publicly known and listed by exploit‑db indicates that it is actively being exploited in the wild. The advisement is not part of the CISA KEV catalog, yet the inherent risks of data leakage and possible compromise warrant immediate remediation.

Generated by OpenCVE AI on June 4, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade All in One Video Downloader to a patched version that resolves the SQL injection flaw.
  • If a fix is unavailable, restrict or disable the vulnerable admin page or lock it down to trusted IP addresses.
  • Deploy a web application firewall or input‑validation layer to detect and block UNION‑based SQL injection payloads.

Generated by OpenCVE AI on June 4, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicheoffice
Nicheoffice all In One Video Downloader
Vendors & Products Nicheoffice
Nicheoffice all In One Video Downloader

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames, databases, and version details.
Title All in One Video Downloader 1.2 SQL Injection via admin page-edit
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nicheoffice All In One Video Downloader
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-04T13:50:18.470Z

Reserved: 2026-06-04T10:37:37.183Z

Link: CVE-2019-25726

cve-icon Vulnrichment

Updated: 2026-06-04T13:50:14.987Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:27.463

Modified: 2026-06-04T15:00:40.757

Link: CVE-2019-25726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:01Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')