CVE-2014-3978

TomatoCart <1.1.8.6.1 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3978. PoCs published by Breaking.Technology.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in TomatoCart v1.x by manipulating input fields in the address book to extract admin credentials. The PoC leverages improper sanitization of colons in user input to bypass security measures.

Description

SQL injection vulnerability in TomatoCart 1.1.8.6.1 allows remote authenticated users to execute arbitrary SQL commands via the First Name and Last Name fields in a new address book contact.

Exploits (1)

exploitdb WORKING POC
by Breaking.Technology · textwebappsphp
https://www.exploit-db.com/exploits/34308

This exploit demonstrates a SQL injection vulnerability in TomatoCart v1.x by manipulating input fields in the address book to extract admin credentials. The PoC leverages improper sanitization of colons in user input to bypass security measures.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: TomatoCart v1.x (latest-stable)
Auth required
Prerequisites: Valid user account
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

Scores

EPSS 0.0173
EPSS Percentile 74.8%

Details

CWE
CWE-89
Status published
Products (1)
tomatocart/tomatocart 1.1.8.6.1
Published Oct 20, 2014
Tracked Since Feb 18, 2026