CVE-2018-25187

HIGH

Tina4 Stack 1.0.3 - Unauthenticated SQL Injection and Database File Download via Menu Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25187. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary The exploit demonstrates an SQL injection and database file download vulnerability in Tina4 Stack 1.0.3. It includes a direct download of the SQLite database file and an example of SQL injection via a crafted HTTP request.

Description

Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sensitive database files and execute SQL injection attacks. Attackers can directly request the kim.db database file to retrieve user credentials and password hashes, or inject SQL code through the menu endpoint to manipulate database queries.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45833

The exploit demonstrates an SQL injection and database file download vulnerability in Tina4 Stack 1.0.3. It includes a direct download of the SQLite database file and an example of SQL injection via a crafted HTTP request.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Tina4 Stack 1.0.3
No auth needed
Prerequisites: access to the target web server
devstral-2 · analyzed Mar 06, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45833

Scores

CVSS v3 8.2
EPSS 0.0035
EPSS Percentile 26.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
tina4/tina4_stack 1.0.3
Published Mar 06, 2026
Tracked Since Mar 06, 2026