CVE-2017-9730

CRITICAL

nuevomailer < 6.0 - SQL Injection via r Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-9730. PoCs published by Oleg Boytsev.

AI-analyzed exploit summary This exploit demonstrates a time-based SQL injection vulnerability in nuevoMailer version 6.0 and earlier via the 'r' parameter in rdr.php. It includes a proof-of-concept URL and a sqlmap command for exploitation.

Description

SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter.

Exploits (1)

exploitdb WORKING POC
by Oleg Boytsev · textwebappsphp
https://www.exploit-db.com/exploits/42193

This exploit demonstrates a time-based SQL injection vulnerability in nuevoMailer version 6.0 and earlier via the 'r' parameter in rdr.php. It includes a proof-of-concept URL and a sqlmap command for exploitation.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: nuevoMailer version 6.0 and earlier
No auth needed
Prerequisites: Access to the vulnerable endpoint /inc/rdr.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42193/

Scores

CVSS v3 9.8
EPSS 0.0196
EPSS Percentile 77.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
dfsol/nuevomailer < 6.0
Published Jun 19, 2017
Tracked Since Feb 18, 2026