CVE-2018-25179

HighPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0012 30.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the language parameter. Attackers can send POST requests to the settings endpoint with crafted SQL payloads in the…

language parameter to extract sensitive database information including usernames, databases, and version details.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of user inputs like the language parameter to prevent SQL injection attacks by ensuring malicious SQL payloads are rejected or sanitized.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of flaws such as this SQL injection vulnerability in the settings endpoint through patching.

RA-5 Vulnerability Monitoring and Scanning good match

detect

RA-5 employs vulnerability scanning to identify SQL injection flaws like CVE-2018-25179 in Gumbo CMS for subsequent remediation.

Security SummaryAI

CVE-2018-25179 is an SQL injection vulnerability (CWE-89) affecting Gumbo CMS version 0.99. The flaw exists in the settings endpoint, where the language parameter fails to properly sanitize user input, allowing attackers to inject and execute arbitrary SQL queries.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by sending POST requests containing crafted SQL payloads in the language parameter. Successful exploitation enables extraction of sensitive database information, including usernames, databases, and version details. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), reflecting high confidentiality impact with low integrity impact and no availability impact.

Advisories and proof-of-concept exploits are documented in references including Exploit-DB at https://www.exploit-db.com/exploits/45837 and VulnCheck at https://www.vulncheck.com/advisories/gumbo-cms-sql-injection-via-settings-endpoint.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (Gumbo CMS settings endpoint) enables exploitation of public-facing app (T1190) and extraction of sensitive database information including usernames (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/45837
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/gumbo-cms-sql-injection-via-settings-endpoint
disclosure@vulncheck.com