Fikir Odaları AdminPando SQL Injection Authentication Bypass Vulnerability

A SQL injection vulnerability has been identified in the login functionality of Fikir Odaları AdminPando version 1.0.1, prior to January 26, 2026. The vulnerability arises in the username and password parameters, allowing unauthenticated attackers to bypass authentication entirely. Exploitation of this vulnerability grants full administrative access to the application, including the ability to manipulate content on the public-facing website through HTML and DOM changes.

Impact

Exploitation of this vulnerability leads to complete authentication bypass, unauthorized administrative access, and full control over the HTML and DOM of the public website. This allows for malicious content distribution to visitors, potential damage to the application's brand and reputation, and possible exposure of user data.

Reproduction

The vulnerability can be reproduced by sending a crafted payload in the username or password fields of the login form on the '/admin' endpoint. The payload should exploit the SQL query handling of the login authentication, such as using SQL injection techniques to bypass authentication checks. Once the injection is successful, access to the admin panel is granted.

Remediation

Users are advised to update to the latest version of Fikir Odaları AdminPando, as the vulnerability has been patched.