Description
A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Database compromise via SQL injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in Xiaopi Panel, affecting the /demo.php file of its WAF Firewall component present in versions up to 20260126, allows an attacker to inject raw SQL through the ID argument. The vulnerability is a classic SQL injection that can expose, modify, or delete data in the backend database. The entry point is a publicly reachable HTTP request, and the flaw could be exploited remotely without authentication. The stated CVSS score of 5.3 indicates moderate severity, and the description warns that a public exploit has already been released.

Affected Systems

The impact covers deployments of Xiaopi Panel, versions prior to 20260126, where the /demo.php endpoint is enabled. No specific sub‑versions are listed beyond the date cutoff, so any installation using the default WAF Firewall script before that date is considered vulnerable.

Risk and Exploitability

Given an EPSS score of less than 1% the likelihood of exploitation in the wild is low at present, and the vulnerability is not catalogued in CISA’s KEV list. Nonetheless, exploitation is straightforward: submit a crafted ID parameter via an HTTP request to /demo.php, and inject arbitrary SQL statements. The attack requires remote network access to the affected machine and does not depend on privileged or authenticated interaction. The moderate CVSS score reflects the potential for data compromise, but the low EPSS mitigates the immediate threat level. Security teams should monitor for anomalous SQL activity and consider the low-attack‐vector risk when prioritizing remediation.

Generated by OpenCVE AI on April 17, 2026 at 22:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xiaopi Panel to the latest release that removes or sanitizes the vulnerable demo.php endpoint. A changed or patched ID parameter handling is required to eliminate the injection surface.
  • If an upgrade is not immediately possible, restrict access to the /demo.php file by applying IP address filtering or by moving the endpoint behind a secure gateway that limits exposure to trusted users only.
  • Deploy a web application firewall or application layer filter to detect and block suspicious SQL injection payloads targeting the ID parameter, and review database logs for abnormal queries or potential compromise.

Generated by OpenCVE AI on April 17, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xiaopi:panel:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Xiaopi
Xiaopi panel
Vendors & Products Xiaopi
Xiaopi panel

Sun, 08 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Xiaopi Panel WAF Firewall demo.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Xiaopi Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:36:25.225Z

Reserved: 2026-02-06T14:51:43.982Z

Link: CVE-2026-2122

cve-icon Vulnrichment

Updated: 2026-02-10T19:36:33.047Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T01:16:10.180

Modified: 2026-03-05T20:20:33.907

Link: CVE-2026-2122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses