CVE-2018-25179

HIGH

Gumbo CMS 0.99 - Unauthenticated SQL Injection via Settings Endpoint Language Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25179. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Gumbo CMS 0.99 via a crafted POST request to the settings endpoint. The payload extracts database information, including user, database name, and version, by leveraging a time-based blind SQLi technique.

Description

Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the language parameter. Attackers can send POST requests to the settings endpoint with crafted SQL payloads in the language parameter to extract sensitive database information including usernames, databases, and version details.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45837

This exploit demonstrates a SQL injection vulnerability in Gumbo CMS 0.99 via a crafted POST request to the settings endpoint. The payload extracts database information, including user, database name, and version, by leveraging a time-based blind SQLi technique.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Gumbo CMS 0.99
Auth required
Prerequisites: valid session cookie (general_purpose) · access to the settings endpoint
devstral-2 · analyzed Mar 06, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45837

Scores

CVSS v3 8.2
EPSS 0.0024
EPSS Percentile 14.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Published Mar 06, 2026
Tracked Since Mar 06, 2026