CVE-2019-25438

HIGH

LabCollector 5.423 - SQL Injection

Title source: llm

Description

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the user_name parameter of retrieve_password.php to extract sensitive database information without authentication.

Exploits (1)

exploitdb WRITEUP

by Carlos Avila · textwebappsphp

https://www.exploit-db.com/exploits/47460

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47460

[Various Sources] https://labcollector.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/labcollector-sql-injection-via-loginphp

Scores

CVSS v3 7.5

EPSS 0.0059

EPSS Percentile 69.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

agilebio/labcollector 5.423

Labcollector/LabCollector 5.423

Published Feb 20, 2026

Tracked Since Feb 21, 2026