CVE-2005-4139

ThWboard < 3 Beta 2.84 - SQL Injection via Calendar Year Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2005-4139. PoCs published by trueend5.

AI-analyzed exploit summary The provided text describes multiple input validation vulnerabilities in ThWboard, including SQL injection, HTML injection, and cross-site scripting (XSS). It outlines the lack of proper sanitization of user-supplied input and potential impacts such as credential theft and arbitrary code execution.

Description

Multiple SQL injection vulnerabilities in ThWboard before 3 Beta 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) year parameter in calendar.php, (2) user parameter array in v_profile.php, and (3) the userid parameter in misc.php.

Exploits (3)

exploitdb WRITEUP VERIFIED
by trueend5 · textwebappsphp
https://www.exploit-db.com/exploits/26756

The provided text describes multiple input validation vulnerabilities in ThWboard, including SQL injection, HTML injection, and cross-site scripting (XSS). It outlines the lack of proper sanitization of user-supplied input and potential impacts such as credential theft and arbitrary code execution.

Classification
Writeup 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Theoretical
Target: ThWboard version 3 beta 2.8
No auth needed
Prerequisites: Access to the vulnerable ThWboard application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by trueend5 · textwebappsphp
https://www.exploit-db.com/exploits/26757

The provided text describes multiple input validation vulnerabilities in ThWboard, including SQL injection, HTML injection, and XSS. It includes a sample SQL injection URL but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli | Xss | Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: ThWboard 3 beta 2.8
No auth needed
Prerequisites: Access to the vulnerable ThWboard instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by trueend5 · textwebappsphp
https://www.exploit-db.com/exploits/26755

The provided text describes multiple input validation vulnerabilities in ThWboard, including SQL injection, HTML injection, and XSS. It includes a sample SQL injection URL but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Theoretical
Target: ThWboard 3 beta 2.8
No auth needed
Prerequisites: Access to the vulnerable ThWboard instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Patch, Vendor Advisory x_refsource_misc
http://kapda.ir/advisory-149.html
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/238
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/418837/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/21738
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/23531
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/21737
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15763
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/21739

Scores

EPSS 0.0176
EPSS Percentile 75.1%

Details

Status published
Products (1)
thwboard/thwboard_beta 2.8
Published Dec 09, 2005
Tracked Since Feb 18, 2026