Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with unauthenticated SQL injection vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. CVE-2019-25697 affects CMSsite 1.0, where the cat_id parameter in category.php can be abused through crafted GET requests, potentially exposing usernames, credentials, and other database contents.
A separate flaw, CVE-2018-25300, affects XATABoost CMS 1.0.0 through a union-based SQL injection in the id parameter of news.php, also reachable remotely without authentication via crafted GET requests. Both records were published with CWE-89 classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2018-25300 submitted for XATABoost CMS 1.0.0 SQL injection flaw
A new CVE entry for an unauthenticated union-based SQL injection in the id parameter of news.php in XATABoost CMS 1.0.0 was received by disclosure@vulncheck.com. The flaw can be exploited remotely via crafted GET requests to extract sensitive database information.
CMSsite 1.0 SQL injection vulnerability documented as CVE-2019-25697
A CVE record describes an unauthenticated SQL injection flaw in the cat_id parameter handled by category.php in CMSsite 1.0. The issue can be exploited with crafted GET requests to manipulate database queries and expose sensitive information such as usernames and credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
Apr 17, 2026
CI4MS Stored DOM XSS Flaws Enable Account Takeover and Privilege Escalation
Two high-severity vulnerabilities in **CI4MS**, a CodeIgniter 4-based CMS skeleton, allow authenticated low-privilege users to trigger **stored DOM-based XSS** that can lead to full account takeover across roles and privilege escalation. **`CVE-2026-34558`** affects the **Methods Management** functionality, where improperly sanitized and encoded user input can be stored server-side and later executed in administrative interfaces and global navigation components. A second flaw, **`CVE-2026-34565`**, impacts **Menu Management** for posts, where malicious post data added to navigation menus can execute in both admin dashboards and public-facing menus. Both issues are classified as **CWE-79** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L`; they affect CI4MS versions prior to **`0.31.0.0`** and were patched in **`0.31.0.0`**.
Apr 6, 2026
SQL Injection Flaws Disclosed in KomSeo Cart and PilusCart
Two SQL injection vulnerabilities have been disclosed in legacy shopping cart software, affecting **KomSeo Cart 1.3** and **PilusCart 1.4.1**. The KomSeo Cart issue, tracked as `CVE-2018-25206`, affects the `my_item_search` parameter in `edit.php`, where crafted `POST` requests can trigger **boolean-based blind** or **error-based** SQL injection and expose sensitive database contents. The PilusCart flaw, tracked as `CVE-2019-25672`, affects the `send` parameter in a comment submission endpoint and allows unauthenticated attackers to perform **RLIKE-based boolean SQL injection** through `POST` requests. Both CVEs are classified as **CWE-89: Improper Neutralization of Special Elements used in an SQL Command** and were published with **CVSS v3.1** and **CVSS v4.0** scoring metadata. The records link to public references including **Exploit-DB**, **VulnCheck**, and project or vendor-related sources, indicating that exploit details and technical validation are available. Organizations still running either cart platform should treat the flaws as database-compromise risks because successful exploitation could allow attackers to extract sensitive information without authentication.
Apr 5, 2026