CVE-2018-25179
Received Received - Intake
SQL Injection in Gumbo CMS 0.99 Allows Data Extraction

Publication date: 2026-03-06

Last updated on: 2026-03-06

Assigner: VulnCheck

Description
Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the language parameter. Attackers can send POST requests to the settings endpoint with crafted SQL payloads in the language parameter to extract sensitive database information including usernames, databases, and version details.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2018-25179
EUVD
EUVD-2018-21634
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gumbo_cms gumbo_cms 0.99
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'Gumbo CMS version 0.99 contains a high-severity SQL injection vulnerability in its PHP web application. This flaw exists in the "settings" endpoint where the "language" parameter is not properly sanitized.'}, {'type': 'paragraph', 'content': 'Unauthenticated attackers can send crafted POST requests with malicious SQL code in the language parameter, allowing them to execute arbitrary SQL queries on the backend database.'}, {'type': 'paragraph', 'content': 'This enables attackers to extract sensitive database information such as usernames, database names, and version details.'}] [1, 2]

Impact Analysis

This vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries on the Gumbo CMS backend database.

As a result, attackers can extract sensitive information including database usernames, database names, and version details.

Such unauthorized data disclosure can lead to further attacks, compromise of user data, and potential loss of confidentiality.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted POST requests to the settings endpoint of Gumbo CMS 0.99, specifically targeting the language parameter with SQL injection payloads.'}, {'type': 'paragraph', 'content': 'A typical detection method involves using tools like curl or specialized vulnerability scanners to send POST requests with malicious SQL code in the language parameter and observing the response for signs of SQL injection.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST -d "language=\' OR 1=1--" http://[target]/settings/en'}, {'type': 'list_item', 'content': 'Monitor responses for database error messages or unexpected data that indicate successful SQL injection.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the settings endpoint, applying input validation and sanitization on the language parameter, and updating or patching Gumbo CMS to a version that addresses this SQL injection vulnerability.

If an official patch is not available, consider implementing web application firewall (WAF) rules to block malicious SQL payloads targeting the language parameter.

Additionally, monitor logs for suspicious POST requests to the settings endpoint and limit network exposure of the Gumbo CMS application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25179. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart