CVE-2019-25726

Deferred Deferred - Pending Action

SQL Injection in All in One Video Downloader

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VulnCheck

Description

All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames, databases, and version details.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-04

Last Modified

2026-06-04

Generated

2026-06-25

AI Q&A

2026-06-04

EPSS Evaluated

2026-06-23

NVD

CVE-2019-25726

EUVD

EUVD-2019-20162

Affected Vendors & Products

Vendor	Product	Version / Range
niche_office	all_in_one_video_downloader	to 1.2 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2019-25726 is a SQL injection vulnerability found in All in One Video Downloader version 1.2. It allows unauthenticated attackers to inject malicious SQL code through the 'id' parameter in the admin page-edit functionality. This flaw occurs because the input is not properly sanitized, enabling attackers to execute arbitrary SQL queries.

By exploiting this vulnerability, attackers can use UNION-based SQL injection payloads to extract sensitive information from the database, such as usernames, database names, and version details.

Detection Guidance

This vulnerability can be detected by sending specially crafted HTTP requests to the admin interface of the All in One Video Downloader version 1.2, targeting the 'id' parameter with UNION-based SQL injection payloads.

A common detection method involves using tools like curl or sqlmap to test for SQL injection by injecting SQL payloads into the 'id' parameter of the admin page-edit URL.

Using curl to test for SQL injection: curl -v "http://target-site/admin/page-edit?id=1' UNION SELECT NULL--"
Using sqlmap to automate detection: sqlmap -u "http://target-site/admin/page-edit?id=1" --batch

Successful exploitation or detection typically reveals database information such as usernames, database names, or version details in the response.

Mitigation Strategies

Immediate mitigation steps include restricting access to the admin interface to trusted users only, such as by IP whitelisting or authentication enforcement.

Additionally, applying input validation and sanitization on the 'id' parameter to prevent SQL injection is critical.

If possible, update the All in One Video Downloader software to a version that patches this vulnerability or apply any available security patches.

As a temporary measure, monitoring and blocking suspicious requests containing SQL injection payloads targeting the 'id' parameter can help reduce risk.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can retrieve critical data such as database usernames, database names, and version information.

Such information disclosure can lead to further attacks, including privilege escalation, data theft, or manipulation of the database contents.

Because the vulnerability is exploitable without authentication and has a high severity score (CVSS 8.8), it poses a significant security risk to affected systems.

Compliance Impact

The SQL injection vulnerability in All in One Video Downloader 1.2 allows unauthenticated attackers to extract sensitive database information such as usernames and database details. This exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

By enabling attackers to access sensitive data through SQL injection, the vulnerability increases the risk of data breaches, which can result in legal and financial penalties under these regulations.

Hi! I’m here to help you understand CVE-2019-25726. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25726

SQL Injection in All in One Video Downloader

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart