CVE-2025-26198

CRITICAL LAB

Vishalmathur Cloudclassroom-php Project - SQL Injection

Title source: rule

Description

CloudClassroom-PHP-Project v1.0 contains a critical SQL Injection vulnerability in the loginlinkadmin.php component. The application fails to sanitize user-supplied input in the admin login form before directly including it in SQL queries. This allows unauthenticated attackers to inject arbitrary SQL payloads and bypass authentication, gaining unauthorized administrative access. The vulnerability is triggered when an attacker supplies specially crafted input in the username field, such as ' OR '1'='1, leading to complete compromise of the login mechanism and potential exposure of sensitive backend data.

Exploits (2)

nomisec WORKING POC
by WailYacoubi9 · poc
https://github.com/WailYacoubi9/CVE-2025-26198
nomisec WRITEUP
by tansique-17 · poc
https://github.com/tansique-17/CVE-2025-26198

References (2)

Scores

CVSS v3 9.8
EPSS 0.0099
EPSS Percentile 77.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull mysql:5.7

Details

CWE
CWE-89
Status published
Products (1)
vishalmathur/cloudclassroom-php_project 1.0
Published Jun 18, 2025
Tracked Since Feb 18, 2026