Primary

Context

XOOPS CMS SQL Injection Vulnerability in gerar_pdf.php Endpoint

Vulnerability

A SQL injection vulnerability has been identified in XOOPS CMS version 2.5.9. This vulnerability allows unauthenticated attackers to inject SQL code through the cid parameter in GET requests to the gerar_pdf.php endpoint. Exploitation of this vulnerability could lead to unauthorized manipulation of database queries and extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries and potentially access or modify sensitive database information.

Reproduction

To reproduce this vulnerability, send a GET request to the gerar_pdf.php endpoint with a malicious cid parameter that includes SQL injection payloads. This can be done using a web browser or a tool like curl or Postman.

Added: Feb 22, 2026, 2:21 PM

Updated: Feb 22, 2026, 2:21 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

0.0

relevance

3.1

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

0.0

relevance

3.1

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

XOOPS CMS SQL Injection Vulnerability in gerar_pdf.php Endpoint

Vulnerability

Impact

Reproduction

Affected Products

XOOPS CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating