Cyber Posture

CVE-2025-10878

CriticalPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0018 39.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to…

more

the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs such as username and password parameters, directly preventing SQL injection exploitation in the login functionality.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely flaw remediation, including applying the vendor update released on or after 2026-01-26 to eliminate the SQL injection vulnerability.

SC-7 Boundary Protection partial match
prevent

SC-7 boundary protection enables web application firewalls or similar mechanisms to inspect and block SQL injection payloads targeting the login endpoint.

Security SummaryAI

CVE-2025-10878 is a SQL injection vulnerability (CWE-89) affecting the login functionality of Fikir Odalari AdminPando version 1.0.1 prior to the update dated 2026-01-26. The username and password parameters in the login process are directly vulnerable to SQL injection attacks, which can be used to bypass authentication mechanisms entirely.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required, as reflected in its maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation grants full administrative access to the AdminPando application, enabling attackers to manipulate public-facing website content via HTML/DOM changes.

Mitigation details and resources, including a proof-of-concept, are available in the referenced advisories: the GitHub repository at https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi and blog posts at https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/. Affected installations should be updated to the version released on or after 2026-01-26.

Details

CWE(s)
CWE-89

Affected Products

omran
fikir odalari adminpando
≤ 1.0.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The SQL injection vulnerability in the login functionality of a public-facing web application directly enables exploitation of a public-facing application for authentication bypass and administrative access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References