CVE-2014-9457

PMB < 4.1.3 - Authenticated SQL Injection via id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9457. PoCs published by xd4rker dark.

AI-analyzed exploit summary The exploit describes a post-authentication SQL injection vulnerability in PMB <= 4.1.3 due to improper sanitization of the $notice_id variable in classes/mono_display.class.php. It provides a proof-of-concept URL and SQLMap usage instructions for exploitation.

Description

SQL injection vulnerability in classes/mono_display.class.php in PMB 4.1.3 and earlier allows remote authenticated users to execute arbitrary SQL commands via the id parameter to catalog.php.

Exploits (1)

exploitdb WRITEUP
by xd4rker dark · textwebappsphp
https://www.exploit-db.com/exploits/35625

The exploit describes a post-authentication SQL injection vulnerability in PMB <= 4.1.3 due to improper sanitization of the $notice_id variable in classes/mono_display.class.php. It provides a proof-of-concept URL and SQLMap usage instructions for exploitation.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: PMB <= 4.1.3
Auth required
Prerequisites: Authenticated user session · Access to the target application
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/35625

Scores

EPSS 0.0106
EPSS Percentile 60.2%

Details

CWE
CWE-89
Status published
Products (1)
pmb_services/pmb < 4.1.3
Published Jan 02, 2015
Tracked Since Feb 18, 2026