CVE-2024-58309

CRITICAL

Xbtitfm - SQL Injection

Title source: rule

Description

xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database.

Exploits (1)

exploitdb WORKING POC

by h5kj23kj32io2kj · textwebappsphp

https://www.exploit-db.com/exploits/51909

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/51909

[Third Party Advisory] https://www.vulncheck.com/advisories/xbtitfm-unauthenticated-sql-injection-in-shouteditphp

[Product] https://xbtitfm.eu

Scores

CVSS v3 9.8

EPSS 0.0038

EPSS Percentile 59.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

xbtitfm/xbtitfm 4.1.18

xbtitfm/xbtitFM 4.1.18

Published Dec 11, 2025

Tracked Since Feb 18, 2026