New CVEs Detail ThinkPHP RCE and Ask Expert Script SQLi/XSS Flaws
New CVE records document two high-severity web application vulnerabilities affecting ThinkPHP 5.0.23 and Ask Expert Script 3.0.5. CVE-2018-25270 describes an unauthenticated remote code execution flaw in ThinkPHP in which attackers can invoke functions through the routing parameter and send crafted requests to index.php to execute arbitrary PHP code. The issue is rated high impact across confidentiality, integrity, and availability under CVSS v3.1 and is referenced by public advisories and an Exploit-DB proof of concept.
A separate entry, CVE-2019-25676, affects Ask Expert Script 3.0.5 and combines unauthenticated cross-site scripting and SQL injection weaknesses exposed through URL parameters. According to the record, attackers can inject script tags via the cateid parameter in categorysearch.php and inject SQL through the view parameter in list-details.php, potentially enabling browser-side code execution and database data extraction. The CVE maps the flaws to CWE-79 and includes vendor, advisory, and exploit references, underscoring continued risk from exposed legacy PHP applications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2018-25270 disclosed for ThinkPHP 5.0.23 RCE
A CVE entry documenting a remote code execution vulnerability in ThinkPHP 5.0.23 was received by disclosure@vulncheck.com. The issue allows unauthenticated attackers to execute arbitrary PHP code through crafted requests to index.php using the invokefunction routing mechanism.
CVE-2019-25676 disclosed for Ask Expert Script 3.0.5 flaws
A CVE entry documenting cross-site scripting and SQL injection vulnerabilities in Ask Expert Script 3.0.5 was received by disclosure@vulncheck.com. The flaws affect categorysearch.php and list-details.php and can be exploited by unauthenticated attackers via crafted URL parameters.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
Apr 17, 2026
Unauthenticated RCE in com_mb24sysapi and High-Severity CSRF in DedeCMS
A newly recorded vulnerability, **CVE-2026-32968**, affects the `com_mb24sysapi` module and allows **unauthenticated remote code execution** through an OS command injection flaw. The weakness is classified as **CWE-78** and stems from improper neutralization of special elements in OS commands, enabling a remote attacker to execute arbitrary commands and potentially take full control of an affected system. The CVE is described as a variant of `CVE-2020-10383`, carries a **CVSS v3.1** vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, and is referenced by CERT VDE advisories **VDE-2026-024** and **VDE-2026-025**. A separate high-severity issue, **CVE-2026-29839**, was recorded for **DedeCMS v5.7.118** in the `/sys_task_add.php` component. The flaw is a **Cross-Site Request Forgery** vulnerability classified as **CWE-352**, and its updated **CVSS v3.1** vector is `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating that successful exploitation could significantly affect confidentiality, integrity, and availability. The record includes references to a public gist and the DedeCMS website, highlighting another internet-exposed web application weakness with potentially serious impact.
Mar 24, 2026