CloudClassroom-PHP-Project v1.0 - Unauthenticated SQL Injection via Admin Login Username Field
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2025-26198. PoCs published by WailYacoubi9, tansique-17.
AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2025-26198, demonstrating SQL injection vulnerabilities in CloudClassroom-PHP-Project v1.0. It includes both vulnerable and patched versions of the code, along with Python scripts to exploit the vulnerability using multiple SQL injection techniques.
Description
CloudClassroom-PHP-Project v1.0 contains a critical SQL Injection vulnerability in the loginlinkadmin.php component. The application fails to sanitize user-supplied input in the admin login form before directly including it in SQL queries. This allows unauthenticated attackers to inject arbitrary SQL payloads and bypass authentication, gaining unauthorized administrative access. The vulnerability is triggered when an attacker supplies specially crafted input in the username field, such as ' OR '1'='1, leading to complete compromise of the login mechanism and potential exposure of sensitive backend data.
Exploits (2)
This repository contains a functional proof-of-concept for CVE-2025-26198, demonstrating SQL injection vulnerabilities in CloudClassroom-PHP-Project v1.0. It includes both vulnerable and patched versions of the code, along with Python scripts to exploit the vulnerability using multiple SQL injection techniques.
This repository contains a detailed writeup for CVE-2025-26198, a critical SQL injection vulnerability in CloudClassroom-PHP-Project v1.0. The vulnerability allows unauthenticated attackers to bypass authentication via SQL injection in the login mechanism.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H