CVE-2015-5591

HIGH

zenphoto < 1.4.9 - Authenticated SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-5591.

AI-analyzed exploit summary Technical analysis of multiple vulnerabilities in ZenPhoto 1.4.8, including SQL injection via ORDER BY manipulation, reflected XSS through error parameters, path traversal in theme editor, and arbitrary function execution. Provides specific exploit paths and payloads.

Description

SQL injection vulnerability in Zenphoto before 1.4.9 allow remote administrators to execute arbitrary SQL commands.

Exploits (1)

exploitdb WRITEUP
webappsphp
https://www.exploit-db.com/exploits/37602

Technical analysis of multiple vulnerabilities in ZenPhoto 1.4.8, including SQL injection via ORDER BY manipulation, reflected XSS through error parameters, path traversal in theme editor, and arbitrary function execution. Provides specific exploit paths and payloads.

Classification
Writeup 95%
Attack Type
Sqli | Xss | Info Leak | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: ZenPhoto 1.4.8
Auth required
Prerequisites: Admin access to ZenPhoto · Error reporting enabled for SQLi
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.2
EPSS 0.0224
EPSS Percentile 80.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
zenphoto/zenphoto < 1.4.9
Published Dec 31, 2019
Tracked Since Feb 18, 2026