CVE-2019-16125
CRITICALJobberbase 2.0 - SQL Injection via Category Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2019-16125. PoCs published by Damian Ebelties.
AI-analyzed exploit summary This script exploits a SQL injection vulnerability in Jobberbase 2.0 via the 'subscribe' endpoint to extract admin credentials. It uses blind SQLi with UPDATEXML to dump the username and password hash in chunks.
Description
In Jobberbase 2.0, the parameter category is not sanitized in public/page_subscribe.php, leading to /subscribe SQL injection.
Exploits (1)
exploitdb
WORKING POC
by Damian Ebelties · bashwebappsphp
https://www.exploit-db.com/exploits/47314
This script exploits a SQL injection vulnerability in Jobberbase 2.0 via the 'subscribe' endpoint to extract admin credentials. It uses blind SQLi with UPDATEXML to dump the username and password hash in chunks.
Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target:
Jobberbase 2.0
No auth needed
Prerequisites:
Target must be running Jobberbase 2.0 with exposed /subscribe/ endpoint
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (2)
Core 2
Core References
Third Party Advisory, URL Repurposed x_refsource_misc
https://zerodays.lol/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/47314
Scores
CVSS v3
9.8
EPSS
0.0219
EPSS Percentile
80.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
jobberbase/jobberbase
2.0
Published
Sep 09, 2019
Tracked Since
Feb 18, 2026