SQL Injection Flaws Disclosed in KomSeo Cart and PilusCart
Two SQL injection vulnerabilities have been disclosed in legacy shopping cart software, affecting KomSeo Cart 1.3 and PilusCart 1.4.1. The KomSeo Cart issue, tracked as CVE-2018-25206, affects the my_item_search parameter in edit.php, where crafted POST requests can trigger boolean-based blind or error-based SQL injection and expose sensitive database contents. The PilusCart flaw, tracked as CVE-2019-25672, affects the send parameter in a comment submission endpoint and allows unauthenticated attackers to perform RLIKE-based boolean SQL injection through POST requests.
Both CVEs are classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command and were published with CVSS v3.1 and CVSS v4.0 scoring metadata. The records link to public references including Exploit-DB, VulnCheck, and project or vendor-related sources, indicating that exploit details and technical validation are available. Organizations still running either cart platform should treat the flaws as database-compromise risks because successful exploitation could allow attackers to extract sensitive information without authentication.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2019-25672 recorded for PilusCart 1.4.1 SQL injection
A CVE entry documented an unauthenticated SQL injection vulnerability in PilusCart 1.4.1 via the 'send' parameter in the comment submission endpoint. The issue enables RLIKE-based boolean SQL injection through POST requests and could be used to extract sensitive database information.
CVE-2018-25206 recorded for KomSeo Cart 1.3 SQL injection
A CVE entry for an SQL injection vulnerability in KomSeo Cart 1.3 was recorded, affecting the 'my_item_search' parameter in edit.php. The flaw allows crafted POST requests to trigger boolean-based blind or error-based SQL injection and extract sensitive database information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026
Critical File Write and RCE Flaws Disclosed in Shopizer, JeeSite, and Krayin CRM
Newly published CVEs detail severe application-layer vulnerabilities in three widely used web platforms. **Shopizer 3.2.5** is affected by `CVE-2026-36767`, a critical path traversal flaw in the `/content/images/add` endpoint that lets an unauthenticated attacker send a crafted POST request and write arbitrary files to any writable path. **JeeSite 5.15.1** is affected by `CVE-2026-36760`, where the `fileMd5` parameter in `/a/file/upload` can be abused during chunked uploads to traverse directories and write arbitrary files with whitelisted suffixes to attacker-chosen filesystem locations; exploitation requires authenticated access with file upload permissions. A separate high-severity issue, `CVE-2026-36340`, affects **Krayin CRM 2.1.5** and allows remote code execution through the compose email function. The flaw was classified as `CWE-94` and has been fixed in **Krayin CRM 2.1.6**. The Shopizer and JeeSite bugs were both classified as `CWE-22` and carry high-impact CVSS ratings reflecting serious risk to confidentiality and integrity, with Shopizer also exposing availability. Public references for all three issues were added alongside their CVE records, including linked GitHub documentation and issue reports describing the vulnerabilities.
May 24, 2026
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
Apr 17, 2026