CVE-2025-10878

CRITICAL

Fikir Odalari AdminPando < 1.0.1 - Unauthenticated SQL Injection via Login Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10878. PoCs published by onurcangnc.

AI-analyzed exploit summary This is a detailed writeup documenting CVE-2025-10878, an SQL injection vulnerability in Fikir Odaları AdminPando v1.0.1 that allows authentication bypass via the 'username' and 'password' parameters. The document includes proof-of-concept payloads, impact analysis, and remediation details.

Description

A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).

Exploits (1)

nomisec WRITEUP
by onurcangnc · poc
https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi

This is a detailed writeup documenting CVE-2025-10878, an SQL injection vulnerability in Fikir Odaları AdminPando v1.0.1 that allows authentication bypass via the 'username' and 'password' parameters. The document includes proof-of-concept payloads, impact analysis, and remediation details.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Fikir Odaları AdminPando v1.0.1
No auth needed
Prerequisites: Access to the login page at /admin/logIn.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 10.0
EPSS 0.0060
EPSS Percentile 43.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
omran/fikir_odalari_adminpando < 1.0.1
Published Feb 03, 2026
Tracked Since Feb 18, 2026