Primary

Context

PMB SQL Injection Vulnerability in Administration Download Script

Vulnerability

A SQL injection vulnerability has been identified in PMB version 5.6, specifically within the administration download script located at '/admin/sauvegarde/download.php'. This vulnerability allows authenticated attackers to execute arbitrary SQL commands by manipulating the 'logid' parameter. Exploitation involves sending crafted requests to the vulnerable endpoint, enabling attackers to interact with the database in unauthorized ways.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, which could lead to unauthorized data access, data manipulation, or potentially executing administrative operations through the database.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the '/admin/sauvegarde/download.php' endpoint with a manipulated 'logid' parameter. This can be done using a tool like SQLMap, targeting the 'logid' parameter to exploit the SQL injection.

Added: Feb 3, 2026, 7:08 PM

Updated: Feb 3, 2026, 7:08 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

3.1

exploitability

6.6

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

3.1

exploitability

6.6

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PMB SQL Injection Vulnerability in Administration Download Script

Vulnerability

Impact

Reproduction

Affected Products

PMB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating