CVE-2009-2326

KerviNet Forum <1.1 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-2326. PoCs published by eLwaux.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in KerviNet, including blind SQL injection, SQL injection, XSS (stored and reflected), path disclosure, and unauthorized user deletion. It provides specific payloads and attack vectors for each vulnerability.

Description

Multiple SQL injection vulnerabilities in KerviNet Forum 1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) an enter_parol cookie to index.php in an auto action or (2) the topic parameter to message.php. NOTE: vector 2 can be leveraged for a cross-site scripting (XSS) attack.

Exploits (1)

exploitdb WORKING POC VERIFIED

by eLwaux · textwebappsphp

https://www.exploit-db.com/exploits/9068

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in KerviNet, including blind SQL injection, SQL injection, XSS (stored and reflected), path disclosure, and unauthorized user deletion. It provides specific payloads and attack vectors for each vulnerability.

Classification

Working Poc 95%

Attack Type

Sqli | Xss | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: KerviNet (version not specified)

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/9068

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/55693

Scores

EPSS 0.0091

EPSS Percentile 55.4%

Details

CWE

CWE-89

Status published

Products (1)

max_kervin/kervinet_forum < 1.1

Published Jul 05, 2009

Tracked Since Feb 18, 2026